New ZLoader Strain Spreading trough Fake TeamViewer Download Ads

The new ZLoader variation leverages paid Google ads to encourage and propagate malware downloads by impersonating the official TeamViewer website.

New ZLoader Strain Spreading trough Fake TeamViewer Download Ads
New ZLoader Strain Spreading trough Fake TeamViewer Download Ads | Image redits: BankInfoSecurity

In 2016, the ZLoader banking trojan was initially discovered to be a variant of the famed Zeus Trojan. During the second half of 2019, an average of 1-2 new variations of the scam appeared per week.

The last ZLoader strain uses Google Adwords advertisement to promote malware downloads. While traditional approaches to hacking, like phishing, are still effective, newer methods like the one used in this operation are also commonly used.

Security experts from Sentinel One believe that fraudsters are targeting users of Australian and German financial institutions in the most recent attack, with the goal of intercepting web requests to banking portals and stealing bank credentials. Additionally, the campaign is distinct in that it employs a variety of techniques to prevent detection, such as running a series of commands to disable Windows Defender and hide the malicious behavior.

Users should take caution when downloading applications

After clicking on an ad displayed by Google on the search results page, the victim is taken to the attacker's fake TeamViewer site, where the attacker's software is ready to be downloaded and installed, thus fooling the victim ("Team-Viewer.msi"). The fake installer is the first step dropper to begin a series of operations involving the download of next-stage droppers intended at damaging defenses and finally the download of the ZLoader DLL payload ("tim.dll").

The cybersecurity firm discovered further artifacts that imitate prominent apps like Discord and Zoom, which indicates that the attackers had several different campaigns active.

In order to be more stealthy, the attack chain was examined by cybersecurity professionals to determine how the sophistication of the attack increased over time. An MSI payload disguised as a covert malware document has replaced the regular malware document as the dropper for the first stage. Its payloads are delivered using backdoor binaries and a series of LOLBAS, which are used to disguise the malware's attack and carry it out.