[BreachExchange] This ransomware-dropping malware has swapped phishing for a sneaky new attack route

Sophia Kingsbury sophia.kingsbury at riskbasedsecurity.com
Fri Sep 24 08:24:56 EDT 2021


zdnet.com/index.php/category/2184/index.php/article/this-ransomware-dropping-malware-has-swapped-phishing-for-a-sneaky-new-attack-route/

Zloader malware, a tool often used to deliver ransomware, is now being
spread through malicious Google ads, according to Microsoft.

The malware is a key part of the cybercrime industry and recently popped up
on the radar of Microsoft and the US Cybersecurity and Infrastructure
Security Agency (CISA).

The cyber insurance industry is likely to go mainstream and is a simple
cost of doing business. Here are a few options to consider.

CISA yesterday warned that ZLoader was being used to distribute the Conti
ransomware service, which pays ransomware distributors a wage rather than a
commission for new infections.

ZLoader is a banking trojan which uses web injection to steal cookies,
passwords and any sensitive information. But it is also used to deliver
ransomware and provides attackers with backdoor capabilities and the
ability to install other forms of malware, according to security company
SentinelOne.

According to Microsoft, ZLoader operators are buying Google keyword ads to
distribute various malware strains, including the Ryuk ransomware.

The techniques aren't new but using Google to distribute links to malicious
domains is notable because billions of people use Google.

"While analyzing ZLoader campaigns in early September, we observed a
notable shift in delivery method: from the traditional email campaigns to
the abuse of online ad platforms. Attackers purchased ads pointing to
websites that host malware posing as legitimate installers," Microsoft
said.

"The campaign abused Google Ads. While Microsoft 365 Defender protects
customers by blocking malicious sites, behavior, payloads, we responsibly
reported findings to Google. Activity related to this threat reduced in the
last few days, but we continue to monitor as it evolves," it added.

The attackers also registered a fraudulent company in order to
cryptographically sign the malicious files, which claims to install a
legitimate Java-based app but instead deliver ZLoader, giving the attackers
access to affected devices. Signing the apps helps avoid detection from
anti-malware systems.

Microsoft highlights the maturity of the business ecosystem ZLoader
operates within.

"The operators of this campaign can then sell this access to other
attackers, who can use it for their own objectives, such as deploying
Cobalt Strike or even ransomware," it notes.

According to security firm Sentinal, this malware campaign primarily
targets customers of Australian and German banks. The malware has the
capability to disable all Windows 10 Defender anti-malware modules.

Microsoft says the attackers use Google search keywords to target online
ads, which redirect victims to a compromised domain and then bump them
across to a domain owned by the attacker for the download. The malware
users PowerShell to disable security settings and products like Windows
Defender. On some machines, the Cobalt Strike penetration testing kit is
downloaded.

"The operators of this campaign can then sell this access to other
attackers, who can use it for their own objectives, such as deploying
Cobalt Strike or even ransomware," Microsoft warned.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210924/b7bde99c/attachment.html>


More information about the BreachExchange mailing list