ZLoader Is Back to Supporting Over One Hundred Malicious Campaigns

By Bill Toulas / May 22, 2020

Researchers see a surge in the deployment of the ZLoader, a banking malware that peaked in popularity in early 2018. Since the beginning of the year, over a hundred email campaigns have deployed ZLoader, so there’s clearly a reignition here. A few weeks back, we analyzed how the ceasing of operations for the “Dreambot” Trojan was justified by the simultaneous rise of the ZLoader and many new Gozi variants. ZLoader has returned in a status of active development, with its authors having released 25 versions since December 2019.

Proofpoint has tracked the versions that spew in the wild, with the last one being v1.2.24.0 released this month. This latest version employs new anti-analysis systems such as code obfuscation, string encryption, API function hashing, and junk code thrown literally everywhere. Moreover, the ZLoader is now using a backup domain generation algorithm to ensure its connectivity with C&C no matter what happens, using the BaseConfig RC4 key to encrypt it. As for the files that are used as lures, these are mainly PDF documents that arrive as attachments on the emails. The same has been recently confirmed by IBM Security Intelligence researchers, who also noticed the spike in the use of ZLoader since the end of March.

The main countries targeted by the ZLoader-backed phishing campaigns are the United States, Canada, Germany, Poland, and Australia, but of course, there are victims worldwide. The subject or theme of the emails usually concerns COVID-19 or invoices. The goal of the actors is to steal banking login credentials, internet browser cookies, and email passwords. The crooks are then using the stolen data to log into the victim’s account through a Virtual Network Computing client that runs right on the victim’s machine, thus passing through the fingerprinting protection checks of the online banking systems.

The ZLoader was once sold for $4,000 and was considered a top-notch malware tool that aided cyber-criminals who engaged in financial fraud. The cost of the current versions must be somewhere in the couple-hundred range, so it is nowhere near its previous prestigious days. However, it is a pretty effective and powerful tool that can still do great damage to its targets, and maybe the sudden rise in its deployment is the direct result of an offensive pricing strategy coming from its developers.

For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari