Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

ZLoader Adopts New Macro-Related Delivery Technique in Recent Attacks

The ZLoader malware family has switched to a new delivery mechanism in recent spam campaigns, fetching malicious code only after the initial attachment has been opened, McAfee reports.

The ZLoader malware family has switched to a new delivery mechanism in recent spam campaigns, fetching malicious code only after the initial attachment has been opened, McAfee reports.

Active for more than half a decade, ZLoader is the successor of the infamous Zeus Trojan, and is also tracked as Silent Night and ZBot. Last year, the threat started being offered under the malware-as-a-service (MaaS) model.

ZLoader is being distributed through spam emails that carry various types of attachments, with the most recent ones featuring Microsoft Word documents. The document used as bait is designed to trick the victim into enabling macros, which are disabled by default in Microsoft Office.

In order to evade detection, the macros in the attachments don’t carry malicious code, but instead fetch it from a remote location after the document has been opened.

As part of recent attacks analyzed by McAfee, the attached document fetches a password-protected Microsoft Excel (XLS) file from a remote server.

“After downloading the XLS file, the Word VBA reads the cell contents from XLS and creates a new macro for the same XLS file and writes the cell contents to XLS VBA macros as functions,” McAfee explained.

As soon as the macros have been written, the Word document modifies the registry so that the malicious macros can be executed without warning the user, and then calls the macro function from the Excel file.

Next, the macros are employed to fetch and deploy the ZLoader payload onto the victim machine. rundll32.exe is then used to run the payload.

Advertisement. Scroll to continue reading.

McAfee spotted a majority of infections in North America, Spain and several Southeast Asian countries.

To prevent falling victim to such attacks, users are advised to avoid opening attachments or clicking on links in unsolicited emails or in messages coming from unknown parties. They should also make sure that macros are not allowed to execute in Microsoft Office.

Related: Collaboration Platforms Increasingly Abused for Malware Distribution, Data Exfiltration

Related: Multi-Platform ‘Tycoon’ Ransomware Uses Rare Java Image Format for Evasion

Related: Zeus Banking Trojan Distributed via MSG Attachments

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how to utilize tools, controls, and design models needed to properly secure cloud environments.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Check Point Software has appointed Nadav Zafrir as Chief Executive Officer

BlackFog has named Brenda Robb as President, John Sarantakes as CRO, and Mark Griffith as VP of Strategic Sales

Former NSA cybersecurity chief Rob Joyce has joined Sandfly Security's Advisory Board.

More People On The Move

Expert Insights