COVID-19 , Cybercrime , Cybercrime as-a-service

ZLoader Banking Malware Resurfaces

Researchers Tracking More Than 100 Campaigns Since Start of 2020
ZLoader Banking Malware Resurfaces

Two years after it was last seen in 2018, a new version of the ZLoader banking malware has surfaced, with cybercriminals distributing the malware through email campaigns, according to security firm Proofpoint.

See Also: How to Build Your Cyber Recovery Playbook

Since Jan. 1, researchers have been tracking more than 100 campaigns containing ZLoader, targeting residents of U.S., Canada, Germany, Poland and Australia, according to a report published by Proofpoint last week.

ZLoader, a descendant of the ubiquitous Zeus banking malware, has been in widespread use by cybercriminals since it was first observed in December last year, the researchers say. It is included in emails that try to lure victims by using a variety of themes, including COVID-19 testing and pandemic-related scam prevention, according to the report.

"The ongoing pandemic has created a rich pipeline of fears and concerns in the public that threat actors are eagerly capitalizing on, and new opportunities for these actors change day-by-day with every news cycle," Sherrod DeGrippo, senior director of threat research and detection at Proofpoint, tells Information Security Media Group.

Fresh Version of ZLoader

Zeus was a sophisticated and highly effective Trojan that had its heyday in the early 2010s. In 2011, the source code for Zeus was leaked, which led to multiple new variants spawning off the original (see: Zeus Banking Trojan Spawn: Alive and Kicking).

Zloader has an element that downloads and runs the banking malware component from its command-and-control server, researchers at Proofpoint say. ZLoader spread in the wild from June 2016 to February 2018, with a group called TA511 - aka MAN1 or Moskalvzapoe - being one of the top threat actors spreading the malware, the report adds.

The ZLoader malware uses webinjects to steal credentials, passwords and cookies stores in web browsers, and other sensitive information from customers of banks and financial institutions, according to Proofpoint. The malware then lets hackers connect to the infected system through a virtual network computing client, so they can make fraudulent transactions from the users device.

The researchers note that the latest variant seemed to be missing some of the advanced features of the original ZLoader malware, such as code obfuscation and string encryption, among other features. "Hence, the new malware does not appear to be a continuation of the 2018 strain, but likely a fork of an earlier version," the researchers state.

Researchers observe that the malware includes a number of "anti-analysis mechanisms" that make it difficult to detect and reverse engineer, such as junk code to distract analysts, constant obfuscation, Windows API function hashing, encrypted strings and C&C blacklisting of sandboxes and malware analysis systems, according to the report.

The current variant is in active development, and 25 versions of the malware have been observed since it first resurfaced in December 2019, with the latest one being spotted in the wild as recently as this month.

DeGrippo tells ISMG that "the development group behind this ZLoader variant has put extra time and effort into the malware this year and we are seeing that materialize in frequent updates when we do analysis on it."


Hackers carrying out phishing campaigns in order to spread ZLoader use a number of lures, researchers note. In one of the campaigns seen in March, a malicious email claims to warn users of coronavirus scams and urges them to click on a link that allegedly contains the "President Coronavirus guidance.”

The link leads to a landing page with a CAPTCHA challenge which further links to the download of a malicious Microsoft Word document containing macros that downloads ZLoader if enabled, according to the report.

Another campaign observed on April 4 alleges that the victim has come in contact with a family member, colleague or neighbor who has contracted COVID-19, and hence needs to get tested. The email includes a malicious Excel sheet that the hackers claim has information on nearby testing centers.

Expect to see more ZLoader attacks in the short term, and potentially too in the longer term if the group sees any resulting financial success, DeGrippo says.

"The re-emergence of a ZLoader variant demonstrates that successful threats don’t go away forever, they often come back later in new forms," DeGrippo says. It also shows that the ZLoader malware was an effective enough threat to merit reuse, she adds.

Each new variant requires a lot of time to develop, maintain, distribute and configure, so malware actors tend to stick to what works and what they know will provide the greatest return on investment, DeGrippo says.

About the Author

Ishita Chigilli Palli

Ishita Chigilli Palli

Senior Correspondent, Global News Desk

As senior correspondent for Information Security Media Group's global news desk, Ishita covers news worldwide. She previously worked at Thomson Reuters, where she specialized in reporting breaking news stories on a variety of topics.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.