Security News > 2021 > September > New Stealthier ZLoader Variant Spreading Via Fake TeamViewer Download Ads

Users searching for TeamViewer remote desktop software on search engines like Google are being redirected to malicious links that drop ZLoader malware onto their systems while simultaneously embracing a stealthier infection chain that allows it to linger on infected devices and evade detection by security solutions.

First discovered in 2016, ZLoader is a fully-featured banking trojan and a fork of another banking malware called ZeuS, with newer versions implementing a VNC module that grants adversaries remote access to victim systems.

The infection chain commences when a user clicks on an advertisement shown by Google on the search results page and is redirected to the fake TeamViewer site under the attacker's control, thus tricking the victim into downloading a rogue but signed variant of the software.

The fake installer acts as the first stage dropper to trigger a series of actions that involve downloading next-stage droppers aimed at impairing the defenses of the machine and finally downloading the ZLoader DLL payload. "At first, it disables all the Windows Defender modules through the PowerShell cmdlet Set-MpPreference," SentinelOne Senior Threat Intelligence Researcher Antonio Pirozzi said.

The cybersecurity firm said it found additional artifacts that mimic popular apps like Discord and Zoom, suggesting that the attackers had multiple campaigns ongoing beyond leveraging TeamViewer.

"The attack chain analyzed in this research shows how the complexity of the attack has grown in order to reach a higher level of stealthiness, using an alternative to the classic approach of compromising victims through phishing emails," Pirozzi explained.

News URL

http://feedproxy.google.com/~r/TheHackersNews/~3/8ae2cGOR5tA/new-stealthier-zloader-variant.html