ZLoader, originally a banking Trojan that has evolved into ransomware malware, has expanded its capabilities even further and may hide in malicious Google ads.
Microsoft found that the ZLoader malware no longer relies on emails as the primary method of reaching its victims. Now attackers are buying Google ads, allowing them to reach an even wider audience.
Microsoft Security Intelligence tweeted a warning about a change in the approach of the ZLoader malware. Microsoft researchers called the change “a notable shift in delivery method.” ZLoader has moved from malicious emails to ad platform abuse.
This is undoubtedly a very serious threat, which has now found a way to reach millions of people more easily. From the Microsoft Security Intelligence account, they explained that the method attackers use to distribute the ZLoader malware is complex but obviously effective.
What the malware distributors do is buy ads related to certain keywords in Google Ads. With them, they direct victims to websites where they pass the malware off as a legal program, which favors its download. The peculiar fact is that malicious installers are cryptographically signed to appear to be genuine. This even requires the registration of a fraudulent company, according to Redmond security specialists.
Once victims click on bad ads and malware infiltrates their systems, campaign operators can sell access to infected devices to interested third parties.
Microsoft reported this exploitative behaviour to Google, and the use of ZLoader in Google’s malicious ads has dropped significantly.
Microsoft noted that ZLoader was also used to distribute the infamous Ryuk ransomware in its latest evolution in a recent campaign that used Google ads. ZLoader can also execute Windows PowerShell commands to disable protections on an infected system.