A banking malware called ZLoader, last seen in early 2018, has been spotted in more than 100 email campaigns since the beginning of the year.

The trojan is under active development with 25 versions seen in the wild since its comeback in December 2019, the latest one observed this month.

Lighter on advanced features

The malicious email campaigns target users in the U.S., Canada, Germany, Poland, and Australia with lures related to the COVID-19 topics (tips to avoid scams, testing) and invoices.

Researchers at Proofpoint note in a report today that the ZLoader distributed this way is different from the original variant observed between 2016 and 2018. They believe the new version is a fork of the previous one.

Multiple actors are currently spreading this strain in at least one malicious email campaign per day. They’re using PDF files that link to a Microsoft Word document laced with macro code that downloads and runs a version of the ZLoader.

Since March, they started using COVID-19-themed phishing pretending to warn recipients of scams related to the new coronavirus pandemic.

IBM X-Force also observed these campaigns luring with documents allegedly containing details on government relief payments.

The current variant lacks some advanced features seen in its predecessor. For instance, code obfuscation and string encryption are missing. Despite this, it still poses a significant threat.

It uses web injects to steal credentials and private banking information from victims along with sensitive data stored in browsers, like cookies and passwords.

The threat actor uses this data to log into the victim’s online banking account. Using a VNC (Virtual Network Computing) client, they make transactions from the compromised computer.

This does not raise any suspicion to the bank since the transfer is initiated from the customer’s computer using correct credentials. It also makes it more difficult to dispute the fraudulent transaction.

ZLoader is also known as Zeus Sphinx, Terdot, and DELoader. It is variant of the infamous Zeus used by a major theft ring to steal tens of millions of dollars before they were caught in 2010.

Back in the days, Zeus had a price tag between $3000 and $4000 and was the top malware used by criminals specializing in financial fraud.

Related Articles:

Banking Malware Spreading via COVID-19 Relief Payment Phishing

Microsoft: Israeli firm used Windows zero-days to deploy spyware

Email fatigue among users opens doors for cybercriminals

Microsoft admits to signing rootkit malware in supply-chain fiasco

Microsoft: Russian hackers used 4 new malware in USAID phishing