ZLoader’s Back, Abusing Google AdWords, Disabling Windows Defender

2021-09-14 17:21

A targeted campaign delivering the ZLoader banking trojan is spreading via Google AdWords, and is using a mechanism to disable all Windows Defender modules on victim machines, researchers have found.

To target victims, the malware is spread from a fake Google advertisement for various software, researchers found - an indirect alternative to social-engineering tactics like spear-phishing emails.

"At first, it disables all the Windows Defender modules through the PowerShell cmdlet Set-MpPreference. It then adds exclusions, such as regsvr32, *.exe, *.dll, with the cmdlet Add-MpPreference to hide all the components of the malware from Windows Defender."

The intensive use of legitimate Windows utilities and functions serves to help the malware avoid defenses and hide itself, researchers noted.

The script performs the steps to disable Windows Defender on a persistent basis by making sure that the "WinDefend" service is deleted at the next boot through the utility NSudo.

"Some domains implement the gate.php component, which is a fingerprint of the ZLoader botnet," researchers explained.

News URL

https://threatpost.com/zloader-google-adwords-windows-defender/169448/

#google #windows #windowsdefender

Related vendor

VENDOR	LAST 12M	#/PRODUCTS	LOW	MEDIUM	HIGH	CRITICAL	TOTAL VULNS
Google		102	253	4216	4506	727	9702