- The ZLoader is “re-loading” through a new wave of phishing campaigns that mainly target U.S.-based systems.
- The lures have to do with invoicing matters, or just exploit the COVID-19 theming to trick the recipients into opening the attachments.
- ZLoader is past its best, but it has returned to being actively developed again, featuring stronger anti-analysis systems.
Researchers see a surge in the deployment of the ZLoader, a banking malware that peaked in popularity in early 2018. Since the beginning of the year, over a hundred email campaigns have deployed ZLoader, so there’s clearly a reignition here. A few weeks back, we analyzed how the ceasing of operations for the “Dreambot” Trojan was justified by the simultaneous rise of the ZLoader and many new Gozi variants. ZLoader has returned in a status of active development, with its authors having released 25 versions since December 2019.
Proofpoint has tracked the versions that spew in the wild, with the last one being v18.104.22.168 released this month. This latest version employs new anti-analysis systems such as code obfuscation, string encryption, API function hashing, and junk code thrown literally everywhere. Moreover, the ZLoader is now using a backup domain generation algorithm to ensure its connectivity with C&C no matter what happens, using the BaseConfig RC4 key to encrypt it. As for the files that are used as lures, these are mainly PDF documents that arrive as attachments on the emails. The same has been recently confirmed by IBM Security Intelligence researchers, who also noticed the spike in the use of ZLoader since the end of March.
The main countries targeted by the ZLoader-backed phishing campaigns are the United States, Canada, Germany, Poland, and Australia, but of course, there are victims worldwide. The subject or theme of the emails usually concerns COVID-19 or invoices. The goal of the actors is to steal banking login credentials, internet browser cookies, and email passwords. The crooks are then using the stolen data to log into the victim’s account through a Virtual Network Computing client that runs right on the victim’s machine, thus passing through the fingerprinting protection checks of the online banking systems.
The ZLoader was once sold for $4,000 and was considered a top-notch malware tool that aided cyber-criminals who engaged in financial fraud. The cost of the current versions must be somewhere in the couple-hundred range, so it is nowhere near its previous prestigious days. However, it is a pretty effective and powerful tool that can still do great damage to its targets, and maybe the sudden rise in its deployment is the direct result of an offensive pricing strategy coming from its developers.