New Zloader attacks disable Windows Defender to evade detection

LASER_oneXM

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Feb 4, 2016
2,520
Content source
https://www.bleepingcomputer.com/news/security/new-zloader-attacks-disable-windows-defender-to-evade-detection/
An ongoing Zloader campaign uses a new infection chain to disable Microsoft Defender Antivirus (formerly Windows Defender) on victims' computers to evade detection.

According to Microsoft's stats, Microsoft Defender Antivirus is the anti-malware solution pre-installed on more than 1 billion systems running Windows 10.

The attackers have also changed the malware delivery vector from spam or phishing emails to TeamViewer Google ads published through Google Adwords, redirecting the targets to fake download sites.

From there, they are tricked into downloading signed and malicious MSI installers designed to install Zloader malware payloads on their computers.

"The attack chain analyzed in this research shows how the complexity of the attack has grown in order to reach a higher level of stealthiness," said SentinelLabs security researchers Antonio Pirozzi and Antonio Cocomazzi in a report published today.

"The first stage dropper has been changed from the classic malicious document to a stealthy, signed MSI payload. It uses backdoored binaries and a series of LOLBAS to impair defenses and proxy the execution of their payloads.
Click to expand...
 
  • Like
  • +Reputation
Reactions: Mercenary, poopdookie, The_King and 10 others
Gandalf_The_Grey

Gandalf_The_Grey

Level 76
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,572
ZLoader’s Back, Abusing Google AdWords, Disabling Windows Defender
Stealthy ZLoader Infection Chain Starts With Google AdWords

To target victims, the malware is spread from a fake Google advertisement (published through Google AdWords) for various software, researchers found – an indirect alternative to social-engineering tactics like spear-phishing emails. The lures include Discord, Java plugins, Microsoft’s TeamViewer and Zoom.

Thus, when someone Googles, say, “Team Viewer download,” an advertisement shown by Google will redirect the person to a fake TeamViewer site under the attacker’s control, according to SentinelLabs. From there, the user can be tricked into downloading a fake installer in a signed MSI format, with a signing timestamp of Aug. 23.

“It appears that the cybercriminals managed to obtain a valid certificate issued by Flyintellect Inc., a Software company in Brampton, Canada,” researchers explained. “The company was registered on 29 June 2021, suggesting that the threat actor possibly registered the company for the purpose of obtaining those certificates.”
Click to expand...
threatpost.com

ZLoader Returns: Abusing Google AdWords, Disabling Windows Defender

The well-known banking trojan retools for stealth with a whole new attack routine, including using ads for Microsoft TeamViewer and Zoom to lure victims in.
threatpost.com threatpost.com
Does that mean a good adblocker (and/or not using Google search) is the best defense?
 
  • Like
  • +Reputation
Reactions: Mercenary, RoboMan, The_King and 10 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,119
Gandalf_The_Grey said:
ZLoader’s Back, Abusing Google AdWords, Disabling Windows Defender

threatpost.com

ZLoader Returns: Abusing Google AdWords, Disabling Windows Defender

The well-known banking trojan retools for stealth with a whole new attack routine, including using ads for Microsoft TeamViewer and Zoom to lure victims in.
threatpost.com threatpost.com
Does that mean a good adblocker (and/or not using Google search) is the best defense?
Click to expand...
Adblocker + SmartScreen. The newly created certificate has initially a poor reputation in SmartScreen. The reputation improves when the file will get some prevalence and it is not recognized as malware. Getting a sufficient reputation by malware is hardly possible. The only exception is for the EV certificate, but this malware did not have one.

VirusTotal

VirusTotal
www.virustotal.com www.virustotal.com
 
  • Like
  • +Reputation
Reactions: Mercenary, SeriousHoax, The_King and 7 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,119
vuksha_xc60 said:
Could standard account with admin password be a solid defence method from this type of attack ?
Zoom and TeamViewer ads clearly state which group is targeted.
Click to expand...
No. The initial attack vector is based on social engineering - the user is convinced that he/she installs legal software. So, the malware is allowed by the user to get high privileges. From this moment there is no big difference if you use an admin account (AA) or standard user account (SUA).
SUA has an advantage over AA if the malware/exploit tries silently to get high privileges without user interaction (UAC bypass).
 
  • Like
Reactions: Mercenary, upnorth, Azure and 2 others
You must log in or register to reply here.

Similar threads

silversurfer
    • Like
    • +Reputation
Malware News New ZLoader Malware Variant Surfaces with 64-bit Windows Compatibility
Replies
0
Views
952
Security News
silversurfer
silversurfer
silversurfer
    • Like
    • +Reputation
Turla Updates Kazuar Backdoor with Advanced Anti-Analysis to Evade Detection
Replies
0
Views
525
News Archive
silversurfer
silversurfer
Shadowra
    • +Reputation
    • Like
Malware News StopCrypt: Most widely distributed ransomware evolves to evade detection
Replies
3
Views
984
Security News
Victor M
Victor M

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top