Users searching for TeamViewer remote desktop software on search engines like Google are being redirected to malicious links that drop ZLoader malware onto their systems. This malware variant utilizes a stealthier infection chain that allows it to linger on infected devices and evade detection by security solutions. “The malware is downloaded from a Google advertisement published through Google Adwords,” researchers from SentinelOne said in a report published on Monday. “In this campaign, the attackers use an indirect way to compromise victims instead of using the classic approach of compromising the victims directly, such as by phishing.” First discovered in 2016, ZLoader (aka Silent Night and ZBot) is a fully-featured banking trojan and a fork of another banking malware called ZeuS, with newer versions implementing a VNC module that grants adversaries remote access to victim systems. The malware is in active development, with criminal actors spawning an array of variants in recent years, no less fueled by the leak of ZeuS source code in 2011. The latest wave of attacks is believed to target users of Australian and German financial institutions with the primary goal of intercepting users’ web requests to the banking portals and stealing bank credentials. But the campaign is also noteworthy because of the steps it takes to stay under the radar, including running a series of commands to hide the malicious activity by disabling Windows Defender.
By Anthony Zampino Introduction Leading up to the most recent Russian invasion of Ukraine in