Users looking for TeamViewer remote desktop software via search engines such as Google are redirected to dangerous sites that download the ZLoader malware. This employs a stealthier infection chain, allowing it to remain on infected devices for extended periods by avoiding detection by security software.
Instead of directly compromising victims, such as through phishing, the attackers use indirect methods to compromise them in this campaign. According to SentinelOne researchers, the malware gets downloaded after clicking on a Google AdWords advertising.
ZLoader, also known as ZBot or Silent Night, was initially discovered in 2016. It’s a full-featured banking trojan and a fork of ZeuS, another banking virus. Newer versions include a VNC module that gives attackers remote access to victim PCs. The virus is still being developed, with criminals releasing a slew of new variants in recent years, fueled in no little part by the disclosure of ZeuS source code in 2011.
These recent attacks are aimed at users of financial institutions in Germany and Australia. Intercepting users’ web requests to banking websites and obtaining bank credentials is the main objective behind these attacks.
However, the campaign is notable for its efforts to remain undetected, such as performing a sequence of instructions to disable Windows Defender and mask the malicious activity.
The infection chain starts when a user clicks on a Google ad on the search results page and is directed to a fake TeamViewer site controlled by the attacker, misleading the victim into downloading a counterfeit but signed version of the program (“Team-Viewer.msi”). The false installer serves as the first-stage dropper, initiating a chain of events that include downloading next-stage droppers to weaken the machine’s defenses and eventually downloading the ZLoader DLL payload (“tim.dll”).
First, it uses the PowerShell cmdlet Set-MpPreference to deactivate all Windows Defender modules. It then uses the cmdlet Add-MpPreference to conceal all of the malware’s components from Windows Defender, including regsvr32, *.exe, and *.dll.
Internet users should exercise caution because TeamViewer is not the only one being exploited. Additional artifacts that look like popular apps like Zoom and Discord are also actively used to trap people.