Security News > 2021 > July > ZLoader Adopts New Macro-Related Delivery Technique in Recent Attacks
The ZLoader malware family has switched to a new delivery mechanism in recent spam campaigns, fetching malicious code only after the initial attachment has been opened, McAfee reports.
ZLoader is being distributed through spam emails that carry various types of attachments, with the most recent ones featuring Microsoft Word documents.
As part of recent attacks analyzed by McAfee, the attached document fetches a password-protected Microsoft Excel file from a remote server.
"After downloading the XLS file, the Word VBA reads the cell contents from XLS and creates a new macro for the same XLS file and writes the cell contents to XLS VBA macros as functions," McAfee explained.
As soon as the macros have been written, the Word document modifies the registry so that the malicious macros can be executed without warning the user, and then calls the macro function from the Excel file.
Next, the macros are employed to fetch and deploy the ZLoader payload onto the victim machine.