Jump to content

  • New Zloader attacks disable Windows Defender to evade detection

    Karlston By Karlston, in Security & Privacy News, , 0 comments, 101 views
     Share

    An ongoing Zloader campaign uses a new infection chain to disable Microsoft Defender Antivirus (formerly Windows Defender) on victims' computers to evade detection.

     

    According to Microsoft's stats, Microsoft Defender Antivirus is the anti-malware solution pre-installed on more than 1 billion systems running Windows 10.

     

    The attackers have also changed the malware delivery vector from spam or phishing emails to TeamViewer Google ads published through Google Adwords, redirecting the targets to fake download sites.

     

    From there, they are tricked into downloading signed and malicious MSI installers designed to install Zloader malware payloads on their computers.

     

    "The attack chain analyzed in this research shows how the complexity of the attack has grown in order to reach a higher level of stealthiness," said SentinelLabs security researchers Antonio Pirozzi and Antonio Cocomazzi in a report published today.

     

    "The first stage dropper has been changed from the classic malicious document to a stealthy, signed MSI payload. It uses backdoored binaries and a series of LOLBAS to impair defenses and proxy the execution of their payloads.

     

    Zloader%20attack%20chain.jpg

    Zloader attack chain (SentinelLabs)

    Attacks focused on Australian and German banking customers

    Zloader (also known as Terdot and DELoader) is a banking trojan initially spotted back in August 2015 when it was used to attack several British financial targets' customers.

     

    Like Zeus Panda and Floki Bot, this malware is almost entirely based on the Zeus v2 Trojan's source code leaked online more than a decade ago.

     

    The banking trojan targeted banks worldwide, from Australia and Brazil to North America, attempting to harvest financial data via web injections that use social engineering to convince infected customers to hand out auth codes and credentials.

     

    More recently, it has also been used to deliver ransomware payloads such as Ryuk and Egregor. Zloader also comes with backdoor and remote access capabilities, and it can also be used as a malware loader to drop further payloads on infected devices.

     

    According to SentinelLabs' research, this latest campaign is primarily focused on targeting customers of German and Australian banking institutions.

     

    "This is the first time we have observed this attack chain in a ZLoader campaign," SentinelLabs' researchers concluded.

     

    "At the time of writing, we have no evidence that the delivery chain has been implemented by a specific affiliate or if it was provided by the main operator."

     

    MalwareBytes, who tracks this malvertising campaign they named Malsmoke since the start of 2020, saw the threat actors infecting their targets with the Smoke Loader malware dropper using the Fallout exploit kit via adult-themed malicious sites.

     

    They've switched to sites imitating Discord, TeamViewer, Zoom, and QuickBooks starting with the end of August 2021, and are likely targeting businesses rather than individuals according to security researcher nao_sec.

     

     

    New Zloader attacks disable Windows Defender to evade detection

     Share


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You are posting as a guest. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...