Microsoft 365 Defender Threat Intelligence Team has released details and a warning about the ZLoader Trojan. The ZLoader trojan, known for its ability to evolve and change from campaign-to-campaign, is said to be derived from the Zeus banking trojan first discovered in 2007.
Microsoft says ZLoader is an attacker’s tool of choice— it has defense evasion capabilities, such as disabling security and antivirus tools and selling access-as-a-service to other affiliate groups. Operators will frequently monetize access from infections by selling it to other affiliate groups, who then use the purchase access to carry out their own malicious objectives.
Its capabilities include capturing screenshots, collecting cookies, stealing credentials, and performing reconnaissance, launching persistence mechanisms, misusing legitimate security tools and providing remote access to attackers.
ZLoader has been linked to ransomware infections such as Ryuk, DarkSide and BlackMatter.
The majority of ZLoader attacks have targeted the U.S., China, Western Europe and Japan. Microsoft warns that due to the modular nature of some of the loaders capabilities and it’s constant shift in techniques, different ZLoader campaigns may look nothing alike.
Previous ZLoader campaigns have been fairly simple, with malware delivered via malicious Office macros attached to emails and then used to deploy modules for capabilities. Other campaigns inject malicious code into legitimate processes, disabling antivirus solutions and ultimately ending in ransomware.
ZLoader operators have also updated their methodology to deliver the malware through targeted malicious Google ads. They will use malicious ads on search engines like Google to trick users into visiting malicious sites. Microsoft also noted ZLoader campaigns have the potential to impersonate a specific company or product, such as Java, Zoom, TeamViewer and Discord.
How to Prevent ZLoader Infections
The best advice for preventing ZLoader infections is to simply avoid downloading attachments contained in emails from unknown senders, as well as clicking on sponsored ads in links and search engine results, instead of opting for unsponsored results from verified, trusted sources.
Organizations should have good credential hygiene and network segmentation. Best practices increase the cost to attackers helping disrupt their activities before they reach their target.
According to Microsoft, defenders can further apply the following mitigations to reduce the environmental attack surface and mitigate the impact of this threat and its payloads:
- Configure Microsoft Defender for Office 365 to recheck links on click. Safe Links provides URL scanning and rewriting of inbound email messages in mail flow, and time-of-click verification of URLs and links in email messages and other locations. Safe Links scanning occurs in addition to the regular anti-spam and anti-malware protection in inbound email messages in Exchange Online Protection (EOP). Safe Links scanning can help protect your organization from malicious links that are used in phishing and other attacks.
- Configure Microsoft Defender for Office 365 to detonate file attachments via Safe Attachments. Safe Attachments provides an additional layer of protection for email attachments by verifying a file in a virtual environment prior to delivering to the inbox.
- Check your Office 365 antispam policy and your mail flow rules for allowed senders, domains and IP addresses. Apply extra caution when using these settings to bypass antispam filters, even if the allowed sender addresses are associated with trusted organizations—Office 365 will honor these settings and can let potentially harmful messages pass through. Review system overrides in threat explorer to determine why attack messages have reached recipient mailboxes.
- Configure Exchange Online to enable zero-hour auto purge (ZAP) in response to newly acquired threat intelligence. ZAP retroactively detects and neutralizes malicious phishing, spam, or malware messages that have already been delivered to mailboxes.
- Turn on network protection to block connections to malicious domains and IP addresses.
- Turn on tamper protection features to prevent attackers from stopping security services.
- Turn on cloud-delivered protection and automatic sample submission on Microsoft Defender Antivirus. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats.
- Turn on the following attack surface reduction rules to block or audit activity associated with this threat:
- Block executable files from running unless they meet a prevalence, age, or trusted list criterion
- Block all Office applications from creating child processes
- Block Office applications from creating executable content
- Block executable content from email client and webmail
- Block Office applications from injecting code into other processes
- Block credential stealing from the Windows local security authority subsystem (lsass.exe)
- Block process creations originating from PsExec and WMI commands
- Use advanced protection against ransomware
- Block execution of potentially obfuscated scripts
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!