

This command and control domain shared the same hosting IP address as the Zloader domain zoomvideoconferencecom at the time of our analysis. The malicious download was performed using the domain teamviewer-ucom. Unfortunately, this user accidentally clicked on a malicious advertisement, downloaded and then ran a malicious installation package called TeamViewer.msi. On Friday, December 10th, a user at an American automotive company attempted to install a remote access tool for their computer by Google searching “teamviewer download”. Given Sophos’s unique observations regarding initial access and the CobaltStrike beacon deployed, we wanted to publish our corresponding research. Shortly afterward Walmart GlobalTech detailed research into this attack campaign, including their findings that ‘infections are primarily located in the US and Europe’. Checkpoint first published details about how Zloader abuses CVE-2013-3900. Within the past month, two other organizations have shared research related to this campaign. MTR observed Zloader leveraging a known vulnerability in Windows that enabled appending malicious script content to digitally signed files provided by Microsoft, CVE-2013-3900. The Sophos Managed Threat Response Team recently detected and responded to a Zloader campaign that delivered CobaltStrike and installed Atera Agent for permanent remote access. Over the last year, Zloader MSI files were disguised as installers for remote working applications such as Zoom, TeamViewer, and Discord. Zloader infects users by leveraging malicious web advertising to redirect users into downloading malicious MSI files. Zloader featured VNC remote access capabilities and was offered on the infamous Russian-speaking cybercrime forum exploitin. Recently, Egregor and Ryuk ransomware affiliates used Zloader for the initial point of entry.

Zloader is a banking trojan with historical ties to the Zeus malware.
