ZLoader (also known as DELoader and Terdot) is a malicious program that is distributed through malicious web pages that display a false error notification.In addition, research shows that ZLoader is designed to infect systems with another malicious program, a banking trojan called Zeus.
In one of the ZLoader campaigns, detected on April 4, the victim was informed of the possibility of having been in contact with a family member, friend or neighbor with coronavirus and, through a malicious attachment, they were offered supposedly more details to be able to take a free medical test at your nearest hospital. From Proofpoint they comment that, after almost two years since the last activity of the ZLoader, they began to observe campaigns that used a new banking malware with a functionality and network traffic similar to those of then.
The ZLoader malware first appeared in 2006 as a variant of the Zeus banking Trojan. It uses webinject attacks to steal credentials and other private data of users belonging to the target financial institutions. It can also be done with passwords and cookies stored on the victims’ web browsers. With all this information stolen, the ZLoader could use the Virtual Network Computing (VNC) client to allow cybercriminals to connect to the victim’s system and thus carry out fraudulent transactions from a legitimate device.
This threat employs various mechanisms to hinder detection and reverse engineering, such as junk code, constant obfuscation, hashing of Windows API functions, string encryption, and command-and-control-based blacklisting. Some of the campaigns analyzed since January by Proofpoint, including more than a hundred, were targeted at users in the United States, Canada, Germany, Poland and Australia.
We can follow some tips to avoid this threat such as: Do not download software through third-party downloaders, peer-to-peer networks or any other tool that we mentioned above. It should be done using only official and trusted websites and direct download links. Attachments (or web links) should not be opened in irrelevant emails that are received from unknown and suspicious addresses.
Other reads:
BazaLoader threat posing as legitimate sites
Hancitor is a Trojan that has evolved
