The now-famous banking trojan, ZLoader, adopts a brand new attack strategy, using ads for Microsoft TeamViewer and Zoom to attract unsuspecting victims.
Researchers have discovered a new targeted campaign delivering the ZLoader banking trojan through Google AdWords and engaging a sophisticated mechanism to disable Windows Defender on compromised devices.
SentinelLabs said that, to better evade detection, the infection chain also includes the use of a signed dropper, in addition to a compromised version of the Windows utility wextract.exe to embed the ZLoader itself.
The malware is a descendent of the Zeus banking trojan and has been around for some time now.
“[It] is a typical banking trojan which implements web injection to steal cookies, passwords, and any sensitive information,” SentinelLabs experts noted in a Monday posting regarding the latest campaign. “It attacks users of financial institutions all over the world and has also been used to deliver ransomware families like Egregor and Ryuk. It also provides backdoor capabilities and acts as a generic loader to deliver other forms of malware.”
Sneaky ZLoader Infection Begins With Google AdWords
To target its victims, the malware spreads from a fake Google advertisement (published through Google AdWords) for various software, including Discord, Java plugins, Microsoft’s TeamViewer, and Zoom.
Therefore, when a user searches for, let’s say, “Zoom download,” an advertisement displayed by Google will redirect them to a fake Zoom site, controlled by the attacker, according to researchers. From that point, the person can be lured into downloading a fake malicious installer in a signed MSI format, with a signing timestamp of August 23.
“It appears that the cybercriminals managed to obtain a valid certificate issued by Flyintellect Inc., a Software company in Brampton, Canada,” researchers explained. “The company was registered on 29 June 2021, suggesting that the threat actor possibly registered the company for the purpose of obtaining those certificates.”
Disabling Windows Defender
The installer mentioned earlier is not for legitimate software, but the first-stage dropper for the malware.
Following the download, the signed .MSI file will launch an installation wizard that creates the C:\Program Files (x86)\Sun Technology Network\Oracle Java SE directory and drops a .BAT file called “setup.bat.”
Next, the Windows cmd.exe function is used to execute that file, which in turn downloads the second-stage dropper. This second dropper executes a script called “updatescript.bat.” During this stage, the malicious script does most of the Defender-killing sneaky work.
“The third stage dropper contains most of the logic to impair the defenses of the machine,” researchers explained. “At first, it disables all the Windows Defender modules through the PowerShell cmdlet Set-MpPreference. It then adds exclusions, such as regsvr32, *.exe, *.dll, with the cmdlet Add-MpPreference to hide all the components of the malware from Windows Defender.”
Then, it downloads a fourth-stage dropper from the following link:
“hxxps://pornofilmspremium.com/tim[dot]exe,” which is saved as “tim.exe” and executed through the legitimate Windows explorer.exe function.
“This allows the attacker to break the parent/child correlation often used by endpoint detection and response (EDRs) for detection,” researchers explained.
SentinelLabs experts added that the tim.exe binary is, in fact, a backdoored version of the legitimate wextract.exe Windows utility, and it contains additional code for creating a new batch file named “tim.bat.” This backdoored version contains extra embedded resources with names like “RUNPROGRAM”, “REBOOT”, and “POSTRUNPROGRAM”, among others.
“The tim.bat file is a very short script that downloads the final ZLoader DLL payload with the name tim.dll,” they noted. The tim.dll payload is executed using the legitimate Windows function regsvr32, which allows the attackers to proxy the execution of the DLL through a signed binary by Microsoft.
According to researchers, the intensive use of Windows utilities and functions helps ZLoader hide and avoid defenses.
Defense Evasion Doesn’t Stop Here
Tim.bat downloads another script, called “nsudo.bat,” which executes several operations to elevate privileges on the system and impair defenses:
- It checks if the current context of execution is privileged by verifying the access to the SYSTEM hive.
- It implements an auto elevation VBScript that aims to run an elevated process in order to make system changes.
- Once the elevation happens, the script is run with elevated privileges.
- The script performs the steps to disable Windows Defender on a persistent basis by making sure that the “WinDefend” service is deleted at the next boot through the utility NSudo.
- The nsudo.bat script also completely disables Microsoft’s User Account Control (UAC) security.
- It forces the computer to restart, so that the changes can take place.
The Tim Botnet
According to SentinelLabs’ analysis, the cybercriminals infrastructure includes the Tim botnet, which involves at least 350 different web domains.
“Some domains implement the gate.php component, which is a fingerprint of the ZLoader botnet,” researchers added. “We noticed during our investigation that all the domains were registered from April to Aug 2021, and they switched to the new IP (195.24.66[dot]70) on the 26th of August.”
Researchers have never seen this particular attack chain in a ZLoader campaign before, which is targeting customers of Australian and German banking institutions for the moment. Experts worry that, if this malware campaign is successful, it could spread worldwide.
“The attack chain…shows how the complexity of the attack has grown in order to reach a higher level of stealthiness,” researchers concluded. “The first stage dropper has been changed from the classic malicious document to a stealthy, signed MSI payload. It uses backdoored binaries and a series of [living off the land utilities] to impair defenses and proxy the execution of their payloads.”