New Version of ZLoader Banking Malware Resurfaces

COVID-19 , Cybercrime , Cybercrime as-a-service

Researchers Observe Over 100 Campaigns Since Start of 2020

New Version of ZLoader Banking Malware Resurfaces

Two years after it was last seen in 2018, a new version of the ZLoader banking malware has resurfaced, with cybercriminals distributing the malware through email campaigns, according to security firm Proofpoint.

See Also: The Evolution of Email Security

Since January 1 this year, researchers have seen over 100 campaigns containing ZLoader, targeting residents of U.S., Canada, Germany, Poland and Australia, according to a report published by Proofpoint last week.

ZLoader, a descendant of the ubiquitous Zeus banking malware, has become popular and widespread since it was first observed in December last year, the researchers say. It is included in emails that try to lure victims by using a variety of themes, including COVID-19 testing and pandemic-related scam prevention, according to the report.

“The ongoing pandemic has created a rich pipeline of fears and concerns in the public that threat actors are eagerly capitalizing on, and new opportunities for these actors change day-by-day with every news cycle,” Sherrod DeGrippo, Senior Director of Threat Research and Detection at Proofpoint tells Information Security Media Group.

New Version of ZLoader

Zeus is a sophisticated and highly effective Trojan that had its heyday in the early 2010s. In 2011, the source code for Zeus was leaked, which led to multiple new variants spawning off the original. (see: Zeus Banking Trojan Spawn: Alive and Kicking)

Zloader has an element that downloads and runs the banking malware component from its command and control server, researchers at Proofpoint say. Zloader spread in the wild from June 2016 to February 2018, with TA511 being one of the top threat actors spreading the malware, the report adds.

The Zloader malware uses webinjects to steal credentials, passwords and cookies stores in web browsers, and other sensitive information from customers of banks and financial institutions, according to Proofpoint. The malware then lets hackers connect to the infected system through a Virtual Network Computing client, so they can make fraudulent transactions from the users device.

The researchers note that the latest variant seemed to be missing some of the advanced features of the original ZLoader malware, such as code obfuscation and string encryption among other features. “Hence, the new malware does not appear to be a continuation of the 2018 strain, but likely a fork of an earlier version,” the researchers state.

Researchers observe that the malware includes a number of “anti-analysis mechanisms” that make it difficult to detect and reverse engineer, such as junk code to distract analysts, constant obfuscation, Windows API function hashing, encrypted strings and C&C blacklisting of sandboxes and malware analysis systems, according to the report.

The current variant is in active development, and 25 versions of the malware have been observed since it first resurfaced in December 2019, with the latest one being spotted in the wild as recently as this month.

DeGrippo tells ISMG that “the development group behind this ZLoader variant has put extra time and effort into the malware this year and we are seeing that materialize in frequent updates when we do analysis on it.”


Hackers carrying out phishing campaigns in order to spread ZLoader use a number of lures, researchers note. In one of the campaigns found in March this year, the email claims to warn users of coronavirus scams and urges them to click on a link that allegedly contains the “President Coronavirus guidance.”

The link leads to a landing page with a CAPTCHA challenge which further links to the download of a malicious Microsoft Word Document containing macros that downloads ZLoader if enabled, according to the report.

Another campaign observed on April 4 alleges that the victim has come in contact with a family member, colleague or neighbor who has contracted COVID-19, and hence needs to get tested. The email includes a malicious Excel sheet that the hackers claim has information on nearby testing centers.

We may continue to see ZLoader in the short term and potentially in the long-term if there is financial success on the part of the creator, according to Sherrod DeGrippo.

“The reemergence of a ZLoader variant demonstrates that successful threats don’t go away forever, they often come back later in new forms,” says DeGrippo. It also shows that the ZLoader malware was an effective enough threat to merit reuse, DeGrippo adds.

Each new variant requires a lot of time to develop, maintain, distribute and configure, so malware actors tend to stick to what works and what they know will provide the greatest return on investment, according to DeGrippo.

Leave a Reply

Your email address will not be published. Required fields are marked *

May 25, 2020