This ransomware-dropping malware has swapped phishing for a sneaky new attack route

And it's using cryptographically signed bogus Java apps to avoid detection.
Written by Liam Tung, Contributing Writer

Zloader malware, a tool often used to deliver ransomware, is now being spread through malicious Google ads, according to Microsoft. 

The malware is a key part of the cybercrime industry and recently popped up on the radar of Microsoft and the US Cybersecurity and Infrastructure Security Agency (CISA). 

CISA yesterday warned that ZLoader was being used to distribute the Conti ransomware service, which pays ransomware distributors a wage rather than a commission for new infections. 

SEE: Ransomware: This new free tool lets you test if your cybersecurity is strong enough to stop an attack

ZLoader is a banking trojan which uses web injection to steal cookies, passwords and any sensitive information. But it is also used to deliver ransomware and provides attackers with backdoor capabilities and the ability to install other forms of malware, according to security company SentinelOne.

According to Microsoft, ZLoader operators are buying Google keyword ads to distribute various malware strains, including the Ryuk ransomware. 

The techniques aren't new but using Google to distribute links to malicious domains is notable because billions of people use Google. 

"While analyzing ZLoader campaigns in early September, we observed a notable shift in delivery method: from the traditional email campaigns to the abuse of online ad platforms. Attackers purchased ads pointing to websites that host malware posing as legitimate installers," Microsoft said

"The campaign abused Google Ads. While Microsoft 365 Defender protects customers by blocking malicious sites, behavior, payloads, we responsibly reported findings to Google. Activity related to this threat reduced in the last few days, but we continue to monitor as it evolves," it added.

The attackers also registered a fraudulent company in order to cryptographically sign the malicious files, which claims to install a legitimate Java-based app but instead deliver ZLoader, giving the attackers access to affected devices. Signing the apps helps avoid detection from anti-malware systems. 

SEE: Four months on from a sophisticated cyberattack, Alaska's health department is still recovering

Microsoft highlights the maturity of the business ecosystem ZLoader operates within. 

"The operators of this campaign can then sell this access to other attackers, who can use it for their own objectives, such as deploying Cobalt Strike or even ransomware," it notes. 

According to security firm Sentinal, this malware campaign primarily targets customers of Australian and German banks. The malware has the capability to disable all Windows 10 Defender anti-malware modules.

Microsoft says the attackers use Google search keywords to target online ads, which redirect victims to a compromised domain and then bump them across to a domain owned by the attacker for the download. The malware users PowerShell to disable security settings and products like Windows Defender. On some machines, the Cobalt Strike penetration testing kit is downloaded. 

"The operators of this campaign can then sell this access to other attackers, who can use it for their own objectives, such as deploying Cobalt Strike or even ransomware," Microsoft warned. 

Editorial standards