Connect with us

Hi, what are you looking for?



ZLoader Adopts New Macro-Related Delivery Technique in Recent Attacks

The ZLoader malware family has switched to a new delivery mechanism in recent spam campaigns, fetching malicious code only after the initial attachment has been opened, McAfee reports.

The ZLoader malware family has switched to a new delivery mechanism in recent spam campaigns, fetching malicious code only after the initial attachment has been opened, McAfee reports.

Active for more than half a decade, ZLoader is the successor of the infamous Zeus Trojan, and is also tracked as Silent Night and ZBot. Last year, the threat started being offered under the malware-as-a-service (MaaS) model.

ZLoader is being distributed through spam emails that carry various types of attachments, with the most recent ones featuring Microsoft Word documents. The document used as bait is designed to trick the victim into enabling macros, which are disabled by default in Microsoft Office.

In order to evade detection, the macros in the attachments don’t carry malicious code, but instead fetch it from a remote location after the document has been opened.

As part of recent attacks analyzed by McAfee, the attached document fetches a password-protected Microsoft Excel (XLS) file from a remote server.

“After downloading the XLS file, the Word VBA reads the cell contents from XLS and creates a new macro for the same XLS file and writes the cell contents to XLS VBA macros as functions,” McAfee explained.

As soon as the macros have been written, the Word document modifies the registry so that the malicious macros can be executed without warning the user, and then calls the macro function from the Excel file.

Advertisement. Scroll to continue reading.

Next, the macros are employed to fetch and deploy the ZLoader payload onto the victim machine. rundll32.exe is then used to run the payload.

McAfee spotted a majority of infections in North America, Spain and several Southeast Asian countries.

To prevent falling victim to such attacks, users are advised to avoid opening attachments or clicking on links in unsolicited emails or in messages coming from unknown parties. They should also make sure that macros are not allowed to execute in Microsoft Office.

Related: Collaboration Platforms Increasingly Abused for Malware Distribution, Data Exfiltration

Related: Multi-Platform ‘Tycoon’ Ransomware Uses Rare Java Image Format for Evasion

Related: Zeus Banking Trojan Distributed via MSG Attachments

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...