A targeted campaign delivering the ZLoader banking trojan is spreading via Google AdWords, and is using a mechanism to disable all Windows Defender modules on victim machines, researchers have found. That’s according to SentinelLabs, which said that to lower the rates of detection, the infection chain for the campaign also includes the use of a signed dropper, plus a backdoored version of the Windows utility wextract.exe to embed the ZLoader payload itself. ZLoader has been around a while, one of many malware forks rising from the ashes of the Zeus banking trojan after its source code was published nearly 10 years ago. “[It] is a typical banking trojan which implements web injection to steal cookies, passwords and any sensitive information,” SentinelLabs analysts noted in a Monday posting on the new campaign. “It attacks users of financial institutions all over the world and has also been used to deliver ransomware families like Egregor and Ryuk. It also provides backdoor capabilities and acts as a generic loader to deliver other forms of malware.” Stealthy ZLoader Infection Chain Starts With Google AdWords To target victims, the malware is spread from a fake Google advertisement (published through Google AdWords) for various software, researchers found – an indirect alternative to social-engineering tactics like spear-phishing emails. The lures include Discord, Java plugins, Microsoft’s TeamViewer and Zoom. Thus, when someone Googles, say, “Team Viewer download,” an…
https://govanguard.com/wp-content/uploads/2018/04/Header_Logo.png 0 0 govanguard https://govanguard.com/wp-content/uploads/2018/04/Header_Logo.png govanguard2021-09-14 13:21:002021-09-14 13:21:00ZLoader's Back, Abusing Google AdWords, Disabling Windows Defender
Our Standard Office Hours
Monday – Friday: 8:00AM – 5:00PM EDT
Saturday – Sunday: Closed
Where to Find Us
Data Privacy Notice
- – All product names, logos, and brands are property of their respective owners.
- – The use of these names, logos, and brands is for identification purposes only and does not imply endorsement.
- – Content syndication and aggregation of public information is solely for the purpose of identifying information security trends, all syndicated content contains source links to the content creator website. All content is owned by it’s respective content creators.
- – If you are an owner of some content and want it to be removed, please email firstname.lastname@example.org