A current Zloader campaign uses a new infection chain to disable Microsoft Defender Antivirus (formerly Windows Defender) on victims' computers to prevent detection.
According to Microsoft statistics, Microsoft Defender Antivirus is the antivirus solution that is pre-installed on more than 1 billion Windows 10 systems.
The attackers also changed the delivery of malware from spam or phishing messages to Google TeamViewer ads posted via Google Adwords, redirecting targets to fake download sites.
From there, they are tricked into downloading malicious MSI installers designed to install Zloader malware payloads on their computers.
The attacks targeted bank customers in Australia and Germany
Zloader (also known as Terdot and DELoader) is a banking trojan that was first detected in August 2015, when it was used to attack customers of many UK financial targets.
Like Zeus Panda and Floki Bot, this malware is based almost entirely on the Zeus v2 Trojan source code that leaked to the Internet more than a decade ago.
The banking trojan targeted banks around the world, from Australia and Brazil to North America, trying to collect financial data through web injections using social engineering to persuade infected customers to hand over codes and credentials.
More recently, it has been used to deliver ransomware payloads such as Ryuk and Egregor. Zloader has both backdoor and remote access capabilities and can also be used as a malware loader to spread extra payload on infected devices.
According to a SentinelLabs survey, the latest campaign focuses mainly on German and Australian customers. banking institutions.
MalwareBytes, which has been tracking this campaign - dubbed Malsmoke - since early 2020, has seen the threatening carriers infect their targets with the malware dropper Smoke Loader using the Fallout exploit kit through malicious websites.
Learn also: Malware Meteor: Attack on Iran's railway system
They have changed to sites that mimic Discord, the TeamViewerThe Zoom and QuickBooks starting in late August 2021 and are likely targeting businesses rather than individuals, according to security researcher nao_sec.
Source of information: bleepingcomputer.com