ZLoader Banking Malware is Back, Deployed in Over 100 Campaigns

ZLoader Banking Malware is Back, Deployed in Over 100 Campaigns
Zloader, a banking malware that has borrowed some functions from Zeus (e.g. the versioning, nrv2b, binstorage-labels), was recently observed being distributed through COVID-19-themed phishing scams.

What happened


The ZLoader malware has been spotted in more than 100 email campaigns since the beginning of 2020. The trojan is still under active development, with 25 versions seen so far since its comeback in December 2019.


In May 2020, several malspam campaigns from multiple actors were observed using PDF files that link to a Microsoft Word document laced with macro code that downloads and runs a version of the ZLoader. This distribution is different from the original variant observed between 2016 and 2018.
In April 2020, an email campaign was observed spreading password-protected Excel sheets and a message about a family member, colleague, or neighbor who contacted COVID-19 while claiming to provide information on where to get tested. The Excel sheet utilized Excel 4.0 macros to download and execute the ZLoader version 1.1.22.0.
In March 2020, some fraudulent email lures were spotted using a variety of subjects, including COVID-19 scam prevention tips, COVID-19 testing, and invoices intended to distribute the ZLoader banking malware.

Worth noting


Scammers are using the leaked code of Zeus malware to steal data from banking customers across multiple continents. With this code available, new Zeus variants have continued to pop up. It points to the effectiveness of Zeus, as its ..