An unknown hacking group is organizing a dangerous phishing campaign; infected CV files are being used as carriers of the Zloader banking Trojan. The data is placed inside Microsoft Excel which when run will install the malware and run it on the system.
The Zloader Banking Trojan is Now Delivered Via Phishing CV Files
An unknown hacking group is delivering the Zloader banking Trojan to computer targets worldwide. At the moment of writing this article the identity of the criminal group is not known, it is suspected that they are experienced in order to have created this new infection strategy.
We remind our readers that this is a derivative of the infamous Zeus malware which is one of the most destructive and long-lasting banking Trojans. They serve the main function of spying on the users in order to look for events related to financial activities and interaction with online banks. When this is detected the Trojan will create a browser overlay which will scam the users into believing that they are entering their credentials to a legitimate site. Instead they will be forwarded to the hackers who will be able to commit various crimes such as the following:
- Finances Theft – By having access to the login details of online banks and related services the hackers can attempt to use them on behalf of the users.
- Identity Abuse — To a large extent the criminals can execute various identity related scams as they have obtained access to information that is deemed private about the affected people.
- Redirects and Malware Delivery — As the overlays can redirect the users to preset hacker-controlled pages this can include also virus scripts that will download different types of viruses.
Phishing CV Files Are A Typical Infection Mechanism
The majority of banking Trojans are being spread using infected documents — this is one of the most common tactics employed to spread all popular types of viruses. The main method relies on the attachment of the necessary code in document formats that are commonly accessed by the end users: text documents, presentations, spreadsheets and databases. In the case of the ZLoader Trojan the hackers have embedded the virus in Microsoft Excel files. As soon as they are opened by the victim users a prompt will be spawned asking them to enable the built-in scripts. This means that as soon as the users enable these scripts the Trojan will be run.
The emails will carry titles such as the following: CV from China, CV File Attachment, Regarding a Job, Applying for a Job, Job application and etc. These are all generic sounding letters that can be sent to the HR staff. Newer versions of the Trojan will also add the capability to hijack data from the installed web browsers — common examples are the popular Mozilla Firefox and Google Chrome applications. The hackers will be able to hijack stored credentials, preferences, cookies, history and cache.