Malware Alert New Zloader attacks disable Windows Defender to evade detection

LASER_oneXM

Level 37
Verified
Feb 4, 2016
2,582
An ongoing Zloader campaign uses a new infection chain to disable Microsoft Defender Antivirus (formerly Windows Defender) on victims' computers to evade detection.

According to Microsoft's stats, Microsoft Defender Antivirus is the anti-malware solution pre-installed on more than 1 billion systems running Windows 10.

The attackers have also changed the malware delivery vector from spam or phishing emails to TeamViewer Google ads published through Google Adwords, redirecting the targets to fake download sites.

From there, they are tricked into downloading signed and malicious MSI installers designed to install Zloader malware payloads on their computers.

"The attack chain analyzed in this research shows how the complexity of the attack has grown in order to reach a higher level of stealthiness," said SentinelLabs security researchers Antonio Pirozzi and Antonio Cocomazzi in a report published today.

"The first stage dropper has been changed from the classic malicious document to a stealthy, signed MSI payload. It uses backdoored binaries and a series of LOLBAS to impair defenses and proxy the execution of their payloads.
 

Gandalf_The_Grey

Level 50
Verified
Trusted
Content Creator
Apr 24, 2016
3,902
ZLoader’s Back, Abusing Google AdWords, Disabling Windows Defender
Stealthy ZLoader Infection Chain Starts With Google AdWords

To target victims, the malware is spread from a fake Google advertisement (published through Google AdWords) for various software, researchers found – an indirect alternative to social-engineering tactics like spear-phishing emails. The lures include Discord, Java plugins, Microsoft’s TeamViewer and Zoom.


Thus, when someone Googles, say, “Team Viewer download,” an advertisement shown by Google will redirect the person to a fake TeamViewer site under the attacker’s control, according to SentinelLabs. From there, the user can be tricked into downloading a fake installer in a signed MSI format, with a signing timestamp of Aug. 23.

“It appears that the cybercriminals managed to obtain a valid certificate issued by Flyintellect Inc., a Software company in Brampton, Canada,” researchers explained. “The company was registered on 29 June 2021, suggesting that the threat actor possibly registered the company for the purpose of obtaining those certificates.”
Does that mean a good adblocker (and/or not using Google search) is the best defense?
 

Andy Ful

Level 72
Verified
Trusted
Content Creator
Dec 23, 2014
6,117
ZLoader’s Back, Abusing Google AdWords, Disabling Windows Defender

Does that mean a good adblocker (and/or not using Google search) is the best defense?
Adblocker + SmartScreen. The newly created certificate has initially a poor reputation in SmartScreen. The reputation improves when the file will get some prevalence and it is not recognized as malware. Getting a sufficient reputation by malware is hardly possible. The only exception is for the EV certificate, but this malware did not have one.
 

vuksha_xc60

Level 1
Jun 22, 2020
13
Could standard account with admin password be a solid defence method from this type of attack ?
Zoom and TeamViewer ads clearly state which group is targeted.
 
  • Like
Reactions: Andy Ful

Andy Ful

Level 72
Verified
Trusted
Content Creator
Dec 23, 2014
6,117
Could standard account with admin password be a solid defence method from this type of attack ?
Zoom and TeamViewer ads clearly state which group is targeted.
No. The initial attack vector is based on social engineering - the user is convinced that he/she installs legal software. So, the malware is allowed by the user to get high privileges. From this moment there is no big difference if you use an admin account (AA) or standard user account (SUA).
SUA has an advantage over AA if the malware/exploit tries silently to get high privileges without user interaction (UAC bypass).
 
Top