ZLoader is a variant of the Zeus malware (Trojan) that hit the banking industry beginning in 2006. Before 2020, it was last seen in the summer of 2018. It has seen a significant increase in presence on the web since January 1, 2020 and has been used in over 100 attack campaigns since that date, affecting victims in the United States, Canada, Australia, Poland and Germany.[1]
How Zloader works?
- The victim will receive phishing email has MS office document as attachment.(On this senior will be Excel file.)
- The Excel file contain Excel 4.0 Macro (It is different from VBA macro).
- Once victim click “enable content” for enabling macro, the malware will start working on background.
IOCs :
User-Agent : ofcOweQlhQDGrTfVGn
Review the source code of the Macro and JavaScript code:
Recommendation :
- Block the IOCs on your environment.
- Monitor child processes of MS office application.
- Monitor internet traffic for all processes, exclude browser applications and trust websites like (windows.com,…).
