Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

ZLoader Adopts New Macro-Related Delivery Technique in Recent Attacks

The ZLoader malware family has switched to a new delivery mechanism in recent spam campaigns, fetching malicious code only after the initial attachment has been opened, McAfee reports.

The ZLoader malware family has switched to a new delivery mechanism in recent spam campaigns, fetching malicious code only after the initial attachment has been opened, McAfee reports.

Active for more than half a decade, ZLoader is the successor of the infamous Zeus Trojan, and is also tracked as Silent Night and ZBot. Last year, the threat started being offered under the malware-as-a-service (MaaS) model.

ZLoader is being distributed through spam emails that carry various types of attachments, with the most recent ones featuring Microsoft Word documents. The document used as bait is designed to trick the victim into enabling macros, which are disabled by default in Microsoft Office.

In order to evade detection, the macros in the attachments don’t carry malicious code, but instead fetch it from a remote location after the document has been opened.

As part of recent attacks analyzed by McAfee, the attached document fetches a password-protected Microsoft Excel (XLS) file from a remote server.

“After downloading the XLS file, the Word VBA reads the cell contents from XLS and creates a new macro for the same XLS file and writes the cell contents to XLS VBA macros as functions,” McAfee explained.

Advertisement. Scroll to continue reading.

As soon as the macros have been written, the Word document modifies the registry so that the malicious macros can be executed without warning the user, and then calls the macro function from the Excel file.

Next, the macros are employed to fetch and deploy the ZLoader payload onto the victim machine. rundll32.exe is then used to run the payload.

McAfee spotted a majority of infections in North America, Spain and several Southeast Asian countries.

To prevent falling victim to such attacks, users are advised to avoid opening attachments or clicking on links in unsolicited emails or in messages coming from unknown parties. They should also make sure that macros are not allowed to execute in Microsoft Office.

Related: Collaboration Platforms Increasingly Abused for Malware Distribution, Data Exfiltration

Related: Multi-Platform ‘Tycoon’ Ransomware Uses Rare Java Image Format for Evasion

Related: Zeus Banking Trojan Distributed via MSG Attachments

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

Sherrod DeGrippo has been appointed Head of Threat Intelligence for Palo Alto Networks Unit 42.

Christopher Porter has joined Booz Allen Hamilton as Global Chief Information Security Officer.

Yael Ben Arie has joined exposure validation company Pentera as Chief Product Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.