The ZLoader malware family has switched to a new delivery mechanism in recent spam campaigns, fetching malicious code only after the initial attachment has been opened, McAfee reports.
Active for more than half a decade, ZLoader is the successor of the infamous Zeus Trojan, and is also tracked as Silent Night and ZBot. Last year, the threat started being offered under the malware-as-a-service (MaaS) model.
ZLoader is being distributed through spam emails that carry various types of attachments, with the most recent ones featuring Microsoft Word documents. The document used as bait is designed to trick the victim into enabling macros, which are disabled by default in Microsoft Office.
In order to evade detection, the macros in the attachments don’t carry malicious code, but instead fetch it from a remote location after the document has been opened.
As part of recent attacks analyzed by McAfee, the attached document fetches a password-protected Microsoft Excel (XLS) file from a remote server.
“After downloading the XLS file, the Word VBA reads the cell contents from XLS and creates a new macro for the same XLS file and writes the cell contents to XLS VBA macros as functions,” McAfee explained.
As soon as the macros have been written, the Word document modifies the registry so that the malicious macros can be executed without warning the user, and then calls the macro function from the Excel file.
Next, the macros are employed to fetch and deploy the ZLoader payload onto the victim machine. rundll32.exe is then used to run the payload.
McAfee spotted a majority of infections in North America, Spain and several Southeast Asian countries.
To prevent falling victim to such attacks, users are advised to avoid opening attachments or clicking on links in unsolicited emails or in messages coming from unknown parties. They should also make sure that macros are not allowed to execute in Microsoft Office.
Related: Collaboration Platforms Increasingly Abused for Malware Distribution, Data Exfiltration
Related: Multi-Platform ‘Tycoon’ Ransomware Uses Rare Java Image Format for Evasion
Related: Zeus Banking Trojan Distributed via MSG Attachments