Malware analysis

ZLoader: What it is, how it works and how to prevent it | Malware spotlight

August 19, 2020 by Greg Belding

It was once said that the apple doesn’t fall far from the tree. In the case of the Zeus malware family, its fruit is known as ZLoader and it definitely has not rolled too far away. And what if I told you that sometimes the fruit starts growing into a new tree and begins using new approaches toward the goal of its attack? 

This article will detail the apple from the Zeus tree, ZLoader. We will explore what it is, how it works and how you can prevent ZLoader from maliciously impacting you and your organization.

What is ZLoader?

ZLoader is a variant of the Zeus malware (Trojan) that hit the banking industry beginning in 2006. Before 2020, it was last seen in the summer of 2018. It has seen a significant increase in presence on the web since January 1, 2020 and has been used in over 100 attack campaigns since that date, affecting victims in the United States, Canada, Australia, Poland and Germany. 

ZLoader relies on the emails containing COVID-19 lures that recent incarnations of Zeus (such as Zeus Sphinx) have also been spotting using. Taking it a step further, ZLoader also uses other lures such as malicious resumes/CVs, invoices and more-than-a-little-shady-looking Excel attachments. 

Think of these lures as the grown-up version of a stranger offering you candy in a white van. However, this candy has titles such as “COVID-19 prevention tips,” “COVID-19 prevention,” “regarding job” and “applying for a job.” This goes to show the depths that attackers will stoop to: what with lockdowns and job losses still mounting, these titles prey on the vulnerabilities of affected individuals.

ZLoader, also known as Silent Night and ZBot, is currently under active development and has spawned over 25 different versions since it reemerged. These variants are largely due to the Zeus code leak of 2011, which goes to the effectiveness of the Zeus malware family. It should be noted that as of May 20, 2020, researchers were discovering one new campaign using ZLoader each day.

Researchers at Proofpoint have found that while different groups operate ZLoader, a group named TA511 (also MAN1 and Moskalvzapoe) has been one of the top threat actors responsible for the spread of ZLoader since its resurgence.

How ZLoader works

ZLoader is spread through aggressive email campaigns where the email contains a malicious attachment with a provocative title referring to either COVID-19 or seeking a job, and invoices with links to infected Microsoft Word files. In the case of the invoice email, users will download the malware installer when they click the “Enable Content” button on the document.

A noteworthy campaign that was observed in April 2020. This informed victims that they have been in contact with a COVID-19-infected family member, neighbor or work colleague and that they need to get tested for the virus. Attached to this email was a malicious Excel file that the email claims has nearby testing center information.

Once installed on a computer, ZLoader proceeds to hit victims how many banking Trojans do — by using webinjects to swipe passwords, login credentials and cookies from the victim’s web browsers. Those who use the infected computer for online banking or financial account access may have their banking information and other sensitive information stolen. 

It should be noted that the original ZLoader had some advanced features that are no longer found in the new versions, such as string encryption and code obfuscation. Based on these changes, researchers believe that the new version of ZLoader is a fork of the version last seen in 2018.

Don’t think that this means that the new ZLoader is not advanced in its own right. It boasts what researchers call “anti-analysis mechanisms” such as constant obfuscation, junk code to throw off would be detection and Windows API function hashing, as well as C&C blacklisting of malware analysis systems and sandboxes. These functionalities make it harder for administrators to detect and reverse-engineer, making it easier to maintain presence of ZLoader in the compromised system.

ZLoader is a great example of the fact that when threats are successful, they do not just fade away into the ether of the internet. Rather, they undergo something between development and redesign and then rear their heads at some point in the future. Why? Simple — because threats like these work and attackers know it.

Preventing ZLoader

The best advice for prevention is ordinarily quite simple: to not click on links or download attachments contained in emails from unknown senders. However, it may not be enough this time. Simply put, ZLoader plays upon the fears and vulnerabilities during a time of COVID-19 pandemic and mass unemployment which may increase the odds of that infected attachment being downloaded.

Below are some tips for preventing ZLoader:

  • The Government (and the President) will not be emailing you if you come in contact with a COVID-19-infected patient
  • During times of job hunting, only download attachments from senders that you know or have previously corresponded with legitimately
  • Deploy an antivirus, anti-malware or email security solution to help you catch email-spread threats such as ZLoader
  • As always, change your passwords regularly


ZLoader is a strong example of the “apple not falling far from the tree” principle. Despite some changes to it, ZLoader offers similar capabilities to the Zeus malware and has some better functionalities in the way of its anti-analysis mechanisms.

Be aware that threats like ZLoader relies heavily upon the vulnerable state of those affected by COVID-19 and job loss to have the most effectiveness. An ounce of prevention is worth a pound of cure.


Posted: August 19, 2020
Articles Author
Greg Belding
View Profile

Greg is a Veteran IT Professional working in the Healthcare field. He enjoys Information Security, creating Information Defensive Strategy, and writing – both as a Cybersecurity Blogger as well as for fun.

Leave a Reply

Your email address will not be published. Required fields are marked *