The ZLoader malware family has switched to a new delivery mechanism in recent spam campaigns, fetching malicious code only after the initial attachment has been opened, McAfee reports.
Active for more than half a decade, ZLoader is the successor of the infamous Zeus Trojan, and is also tracked as Silent Night and ZBot. Last year, the threat started being offered under the malware-as-a-service (MaaS) model.
ZLoader is being distributed through spam emails that carry various types of attachments, with the most recent ones featuring Microsoft Word documents. The document used as bait is designed to trick the victim into enabling macros, which are disabled by default in Microsoft Office.
In order to evade detection, the macros in the attachments don’t carry malicious code, but instead fetch it from a remote location after the document has been opened.
As part of recent attacks analyzed by McAfee, the attached document fetches a password-protected Microsoft Excel (XLS) file from a remote server.
“After downloading the XLS file, the Word VBA reads the cell contents from XLS and creates a new macro for the same XLS file and writes the cell contents to XLS VBA macros as functions,” McAfee explained.
As soon as the macros have been written, the Word document modifies the registry so that the malicious macros can be executed without warning the user, and then calls the macro function from the Excel file.
Next, the macros are employed to fetch and deploy the ZLoader payload onto the victim machine. rundll32.exe is then used to run the payload.
McAfee spotted a majority of infections in North America, Spain and several Southeast Asian countries.
To prevent falling victim to such attacks, users are advised to avoid opening attachments or clicking on links in unsolicited emails or in messages coming from unknown parties. They should also make sure that macros are not allowed to execute in Microsoft Office.
Related: Collaboration Platforms Increasingly Abused for Malware Distribution, Data Exfiltration
Related: Multi-Platform ‘Tycoon’ Ransomware Uses Rare Java Image Format for Evasion
Related: Zeus Banking Trojan Distributed via MSG Attachments
More from Ionut Arghire
- North Korean Hackers Blamed for $35 Million Atomic Wallet Crypto Theft
- Cisco Patches Critical Vulnerability in Enterprise Collaboration Solutions
- Android’s June 2023 Security Update Patches Exploited Arm GPU Vulnerability
- US, Israel Provide Guidance on Securing Remote Access Software
- Blumira Raises $15 Million for SMB-Tailored XDR Platform
- KeePass Update Patches Vulnerability Exposing Master Password
- Google Workspace Gets Passkey Authentication
- Cybersecurity Startup Elba Raises €2.5 Million for Employee-Focused Product
Latest News
- North Korean Hackers Blamed for $35 Million Atomic Wallet Crypto Theft
- Cisco Patches Critical Vulnerability in Enterprise Collaboration Solutions
- Barracuda Urges Customers to Replace Hacked Email Security Appliances
- Android’s June 2023 Security Update Patches Exploited Arm GPU Vulnerability
- BBC, British Airways, Novia Scotia Among First Big-Name Victims in Global Supply-Chain Hack
- Sysdig Introduces CNAPP With Realtime CDR
- Stay Focused on What’s Important
- VMware Plugs Critical Flaws in Network Monitoring Product
