{"id":112209,"date":"2022-04-13T09:00:00","date_gmt":"2022-04-13T16:00:00","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?p=112209"},"modified":"2023-09-11T16:39:09","modified_gmt":"2023-09-11T23:39:09","slug":"dismantling-zloader-how-malicious-ads-led-to-disabled-security-tools-and-ransomware","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/04\/13\/dismantling-zloader-how-malicious-ads-led-to-disabled-security-tools-and-ransomware\/","title":{"rendered":"Dismantling ZLoader: How malicious ads led to disabled security tools and ransomware"},"content":{"rendered":"\n

As announced today, Microsoft took action against the ZLoader trojan<\/a> by working with telecommunications providers around the world to disrupt key ZLoader infrastructure. We used our research into this threat to enrich our protection technologies and ensure this infrastructure could no longer be leveraged by operators to distribute the trojan or activate deployed payloads like ransomware. Moreover, we are sharing this intelligence to emphasize the importance of collaboration throughout the larger security community. Below, we will detail the various aspects for identifying a ZLoader campaign.<\/p>\n\n\n\n

Derived from the Zeus banking trojan first discovered in 2007, ZLoader is a malware family notable for its ability to evolve and change from campaign to campaign, having undergone much development since its inception. ZLoader has remained relevant as attackers\u2019 tool of choice by including defense evasion capabilities, like disabling security and antivirus tools, and selling access-as-a-service to other affiliate groups, such as ransomware operators. Its capabilities include capturing screenshots, collecting cookies, stealing credentials and banking data, performing reconnaissance, launching persistence mechanisms, misusing legitimate security tools, and providing remote access to attackers.<\/p>\n\n\n\n

ZLoader campaign operators evolved the malware from a basic banking trojan to a more sophisticated piece of malware capable of monetizing compromised devices by selling access to other affiliate groups. By leveraging and misusing legitimate tools like Cobalt Strike and Splashtop, affiliates gain hands-on-keyboard access to affected devices, which can be further misused for other malicious activities like credential theft or downloading additional payloads, including ransomware. ZLoader has previously been linked to ransomware infections such as Ryuk, DarkSide, and BlackMatter.<\/p>\n\n\n\n

ZLoader attacks have affected nations around the world, with the majority targeting the US, China, western Europe, and Japan. Due to the modular nature of some of ZLoader\u2019s capabilities and its constant shifts in techniques, different ZLoader campaigns may look nothing alike. Previous campaigns have been fairly simple, with the malware delivered via malicious Office macros attached to emails and then used to deploy modules for capabilities. Other, more recent campaigns are notably complex\u2013injecting malicious code into legitimate processes, disabling antivirus solutions, and ultimately culminating in ransomware.<\/p>\n\n\n\n

\"World
Figure 1. Heat map of nations affected by ZLoader attacks<\/figcaption><\/figure>\n\n\n\n

ZLoader operators have also updated their methodology to frequently deliver the malware through targeted malicious Google Ads. The use of ad fraud is a stealthy way to target end users as it bypasses typical security solutions that can be found in email and surfaces itself in normal browser activities instead.<\/p>\n\n\n\n

Microsoft Defender for Endpoint<\/a> detects malicious behaviors related to this campaign. Enabling cloud protection<\/a> and automatic sample submission for Microsoft Defender Antivirus aids users and organizations in remaining protected on new and emerging threats. Moreover, standardizing the use of the Microsoft Edge<\/a> browser across all corporate devices and enabling Microsoft Defender SmartScreen<\/a> protection blocks malicious sites, such as those connected to ZLoader campaigns. <\/p>\n\n\n\n

In this blog post, we characterize the various methods by which a ZLoader campaign might be identified, along with detailing detection and mitigation information that can help users reduce the impact of this threat.<\/p>\n\n\n\n

ZLoader attack chains<\/h2>\n\n\n\n

ZLoader is a malware variant that has evolved over the years and is used for multiple objectives, meaning that two campaigns which both use ZLoader may appear completely different. For example, an individual who has experience responding to a ZLoader campaign that originated from email and dropped the payload via a malicious Office macro, may be shocked at the complexity of a second ZLoader campaign that uses numerous malicious files for reconnaissance and antivirus tampering, before finally dropping the actual malware payload.<\/p>\n\n\n\n

The following diagram identifies the most common ways the ZLoader trojan has been observed moving through the delivery, installation, payload, malware activity, and follow-on activity phases of an attack. This diagram is high-level and may not depict every step or file dropped in some of ZLoader\u2019s more complex campaigns.<\/p>\n\n\n\n

\"Diagram
Figure 2. ZLoader attack flow diagram<\/figcaption><\/figure>\n\n\n\n

Delivery<\/h3>\n\n\n\n

ZLoader malware has been observed being delivered in multiple ways. Two of the most prominent methods include malicious search engine ads and malicious emails.<\/p>\n\n\n\n

Malicious advertisement delivery<\/h4>\n\n\n\n

In more recent campaigns, ZLoader has shifted away from using email as a means of delivery and instead used malicious ads on search engines such as Google to trick users into visiting malicious sites.<\/p>\n\n\n\n

Each wave of these campaigns impersonated a specific company or product, such as Java, Zoom, TeamViewer, and Discord. For the delivery stage of the attack, the actors would purchase Google Ads for key terms associated with those products, such as \u201czoom videoconference<\/em>.\u201d Users who performed Google searches for those terms during a specific time would be presented with an advertisement that led to the form grabbing malicious domains.<\/p>\n\n\n\n

In each instance of this campaign, the actors would compromise legitimate domains that appeared to be owned by individuals or small businesses, such as personal blogs. They would then set up subdomains on them that were associated with the product they were impersonating during that time. The product-specific subdomain was the second subdomain on the domain, while the first subdomain was an extremely long set of words. For example:<\/p>\n\n\n\n