A ZLoader campaign, promoted through fake TeamViewer ads placed on Google Adwords, implements malware that disables all Microsoft Windows Defender security software modules, according to SentinelOne research.
The attacks are noteworthy for MSPs and MSSPs -- many of which may use Google Search to seek out and evaluate remote control software such as TeamViewer to remotely manage customer systems.
How ZLoader Delivers Malware
The typical infection, according to the SentinelLabs research team at SentinelOne, occurs as follows:
- A user performs a search on www.google.com to find a website to download software. In this case, SentinelLabs searched for “team viewer download”.
- The user clicks on an advertisement shown by Google and is redirected to the fake TeamViewer site under the attacker’s control.
- The user is tricked into downloading the fake software in a signed MSI format.
- Once the user clicks on the advertisement, it will redirect through the aclk page. This redirect demonstrates the attackers usage of Google Adwords to gain traffic.
ZLoader is a banking trojan that implements web injection to steal cookies, passwords and any sensitive information, SentinelOne says. It has also been used to deliver ransomware families like Egregor and Ryuk, SentinelOne adds.
How to Defend Against Ransomware Attacks
To mitigate the risk of ransomware attacks, the FBI and CISA say MSSPs and MSPs should take these seven steps:
- require multi-factor authentication (MFA);
- implement network segmentation;
- scan for vulnerabilities and keep software updated;
- remove unnecessary applications and apply controls — and be sure to investigate any unauthorized software, particularly remote desktop or remote monitoring and management software;
- implement endpoint and detection response tools;
- limit access to resources over the network, especially by restricting RDP; and
- secure user accounts.