ZE Loader Enables Overlay Attacks through an RDP Connection

The ZE Loader is a malicious Windows application whose operators use it to execute the so-called overlay attacks. This attack technique focuses on stealing financial data from victims by displaying fake phishing prompts on top of legitimate applications and websites. In the case of ZE Loader, the criminals are targeting a banks, online payment processors, and cryptocurrency exchanges. The attacker is able to interact with the victim's machine in real-time, therefore greatly enhancing the finesse of the whole operation.

Typically, victims of the ZE Loader end up interacting with the malware because of phishing emails, fake downloads, or pirated software. Once running, the ZE Loader will make some changes to the Windows installation.  These changes provide the remote attacker with easier access:

  • It ensures that the Trojan is running with administrator permissions.
  • It established a Remote Desktop Protocol (RDP) connection to the command-and-control server.
  • ZE Loader enables multiple RDP connections on the infected device by tampering with the Windows Registry.
  • The malware also creates a new user account with the name Administart0r and password 123mudar.
  • Finally, the implant makes sure to allow RDP connections through the Windows Firewall.

In the meantime, the malware will also drop some files on the victim's machine. Some of these are designed to loosen the security measures, while a JDK_SDK file carries all of the assets that Trojan uses during its attack. This is rather uncommon – typically, Trojans that execute overlay attacks fetch their images and phishing pages from the remote server. However, this malware stores all of these assets in an encrypted state on the victim's machine.

ZE Loader Operators Orchestrate Attacks through RDP Connections

ZE Loader actively monitors newly opened processes and active browser sessions. If it identifies that the user is trying to load one of the supported online banking sites or an app that the Trojan targets, the attacker will receive a notification. Once the criminals connect via RDP, they can begin to execute commands. Typically, that would show the phishing assets from the JDK_SDK file that the ZE Loader brought along. The criminals are able to play out various scenarios to steal data. For example, they could ask the user for login credentials, credit card data, two-factor authentication, and more.

While the ZE Loader does not execute the most sophisticated overlay attack we have seen, it is still a very dangerous piece of malware. Protect your Windows systems from such attacks by using up-to-date antivirus tools. Of course, also make sure to learn how to browse the Web safely.

September 24, 2021