ZLoader | Breaking Cybersecurity News | The Hacker News

A developing threat activity cluster has been found using Google Ads in one of its campaigns to distribute various post-compromise payloads, including the recently discovered  Royal ransomware . Microsoft, which spotted the updated malware delivery method in late October 2022, is tracking the group under the name  DEV-0569 . "Observed DEV-0569 attacks show a pattern of continuous innovation, with regular incorporation of new discovery techniques, defense evasion, and various post-compromise payloads, alongside increasing ransomware facilitation," the Microsoft Security Threat Intelligence team  said  in an analysis. The threat actor is known to rely on malvertising to point unsuspecting victims to malware downloader links that pose as software installers for legitimate apps like Adobe Flash Player, AnyDesk, LogMeIn, Microsoft Teams, and Zoom. The malware downloader, a strain referred to as  BATLOADER , is a dropper that functions as a conduit to distribute next-stage pa

Microsoft and a consortium of cybersecurity companies took legal and technical steps to disrupt the ZLoader botnet , seizing control of 65 domains that were used to control and communicate with the infected hosts. "ZLoader is made up of computing devices in businesses, hospitals, schools, and homes around the world and is run by a global internet-based organized crime gang operating malware as a service that is designed to steal and extort money," Amy Hogan-Burney, general manager of Microsoft's Digital Crimes Unit (DCU),  said . The operation, Microsoft said, was undertaken in collaboration with ESET, Lumen's Black Lotus Labs, Palo Alto Networks Unit 42, Avast, Financial Services Information Sharing and Analysis Center (FS-ISAC), and Health Information Sharing and Analysis Center (H-ISAC). As a result of the disruption, the domains are now redirected to a sinkhole, effectively preventing the botnet's criminal operators from contacting the compromised devices.

Users searching for TeamViewer remote desktop software on search engines like Google are being redirected to malicious links that drop  ZLoader  malware onto their systems while simultaneously embracing a stealthier infection chain that allows it to linger on infected devices and evade detection by security solutions. "The malware is downloaded from a Google advertisement published through Google Adwords," researchers from SentinelOne  said  in a report published on Monday. "In this campaign, the attackers use an indirect way to compromise victims instead of using the classic approach of compromising the victims directly, such as by phishing." First discovered in 2016, ZLoader (aka Silent Night and ZBot) is a  fully-featured banking trojan  and a fork of another banking malware called ZeuS, with newer versions implementing a VNC module that grants adversaries remote access to victim systems. The malware is in active development, with criminal actors spawning an