Security News > 2021 > September > ZLoader’s Back, Abusing Google AdWords, Disabling Windows Defender

ZLoader’s Back, Abusing Google AdWords, Disabling Windows Defender
2021-09-14 17:21

A targeted campaign delivering the ZLoader banking trojan is spreading via Google AdWords, and is using a mechanism to disable all Windows Defender modules on victim machines, researchers have found.

To target victims, the malware is spread from a fake Google advertisement for various software, researchers found - an indirect alternative to social-engineering tactics like spear-phishing emails.

"At first, it disables all the Windows Defender modules through the PowerShell cmdlet Set-MpPreference. It then adds exclusions, such as regsvr32, *.exe, *.dll, with the cmdlet Add-MpPreference to hide all the components of the malware from Windows Defender."

The intensive use of legitimate Windows utilities and functions serves to help the malware avoid defenses and hide itself, researchers noted.

The script performs the steps to disable Windows Defender on a persistent basis by making sure that the "WinDefend" service is deleted at the next boot through the utility NSudo.

"Some domains implement the gate.php component, which is a fingerprint of the ZLoader botnet," researchers explained.


News URL

https://threatpost.com/zloader-google-adwords-windows-defender/169448/

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Google 102 256 4320 4678 741 9995