Search engines like Google are displaying search results that redirect the user to malicious links when they search for TeamViewer remote desktop software. These links download ZLoader malware onto the users’ system, creating a stealthy infection path that allows the attacker to install additional malware without detection.
This latest ZLoader campaign is an indirect method of infection compared to the traditional approach of phishing. Clicking the link executes a downloader that retrieves the core module and injects it into processes that are currently running on the host system. The latest version of ZLoader also includes other components, which is common practice for this malware family. Malwarebytes has published a paper in collaboration with HYAS that performs a detailed analysis of ZLoader, especially its Command-and-Control (C2) panel. It groups ZLoader variants according to values in their config files and also compares them with Zbots like Terdot that have recently become popular.
ZLoader, also known as Silent Night and ZBot, was first discovered in 2016. It’s a fully-featured banking trojan based on ZeuS, probably the best known banking Trojan. ZLoader is currently in active development, with actors creating many variants over the past decade due to a leak of the ZeuS code in 2011. The latest version of ZLoader implements a Virtual Network Computing (VNC) module that grants attackers access to the target system.
Version 1.0 of this design was compiled at the end of November 2019, although it didn’t have a specific name at that time. It was initially referred to as simply ZLoader/Zbot, which is a generic name for any malware related to ZeuS. Researchers later determined this version of ZLoader was a new family of ZeuS that creators were distributing under the name “Silent Night,” likely a reference to the biochemical weapon of the same name in the 2002 movie xXx.
The latest ZLoader campaign appears to target the customers of Australian and German financial institutions. Their primary purpose is to intercept these users’ web requests to their banking portals, allowing the attackers to obtain the user credentials for those institutions. This campaign is also notable for its unusually strong efforts to avoid detection, which include disabling Windows Defender through a series of commands.
Once a user clicks on a Google ad in a results page, the link will redirect the browser to a fake TeamViewer site controlled by the attacker. The user, believing that this is the real TeamViewer page, will then download an installer for a signed version of the software named Team-Viewer.msi. However, this file is infected with ZLoader, which acts as a first-stage dropper by downloading subsequent droppers that impair the target system’s defenses.
Their first action is to disable all Windows Defender modules with the PowerShell cmdlet Set-MpPreference. Next, they add exclusions to Windows Defender that include *.exe, *.dll and regsvr32 by using the cmdlet Add-MpPreference, which adds the ZLoader components from Windows Defender. If successful, the system will download the ZLoader payload, a DLL file named tim.dll, which begins intercepting web requests from the host system.
Analysts believe that the perpetrators of the current ZLoader campaign are also conducting other campaigns with targets other than TeamViewer. They have found additional artifacts in ZLoader that imitate other popular applications such as Discord and Zoom. The complexity of these attacks has also increased compared to their predecessors, especially with respect to the level of stealthiness. Furthermore, the method of installing the first-stage dropper has changed from enticing victims into opening an infected document to adding links to their search results, which is much more difficult to detect.
The most direct method of preventing an infection by latest version of ZLoader is to avoid clicking on any Google ads displayed on search results for “TeamViewer” and similar terms. If you really do want to download TeamViewer software, ensure that you’re on a page under the https://www.teamviewer.com domain. You can do this by checking your browser’s URL field.