Microsoft Warns About ZLoader Malware's New Capabilities

ZLoader, originally a banking Trojan that evolved into ransomware-delivering malware, has now expanded its capabilities further and can hide in malicious Google ads.

Microsoft Security Intelligence tweeted out a warning about the ZLoader malware's shifting approach. Microsoft researchers called the change a "notable shift in delivery method". ZLoader has moved from malicious spam email campaigns to the abusive exploitation of advertising platforms.

The new tactic used by the people operating ZLoader is to purchase Google ads and set them up to point to websites that host installers mimicking legitimate software, while in reality the installer packages are malware.

Microsoft further detailed that the new approach required the setting up of a fake dummy company entity that is used to purchase the ad space linking to the malicious websites. Once the victims click through the bad ads and the malware creeps up on their systems, the campaign operators can sell access to infected devices to interested third parties.

Naturally, Microsoft reported this exploitative behavior to Google and the use of ZLoader in malicious Google ads has dropped significantly.

ZLoader started out as a banking Trojan malicious toolkit that was used to steal passwords and other browser data, but later evolved. The malware started also delivering ransomware, notably the Conti ransomware. The toolkit included in ZLoader also includes backdoor-like capabilities that allow its operators to install further malware on infected devices.

Microsoft spotted ZLoader also being used to distribute the infamous Ryuk ransomware in its latest evolution, in the recent campaign that abused Google ads. ZLoader can also execute Windows PowerShell commands to disable security defenses on the infected system.

September 24, 2021