ZLoader – The Banking Trojan And Its Attack Campaigns

Zloader is a highly risky banking Trojan that is a variant of devastating Zeus malware. Also known as Terdot and DELoader, is active since 2015. And till now it has surfaced again and again in more 100 attack campaigns. 

This malware is mainly used to distribute Zbot malware, which is a banking Trojan. The main motive of the malware is to steal online banking credentials of the target users. Among its various functionalities, it is capable of recording keystrokes, installing other malware components, spy on browsing activities.  

Cyber-criminals often use the stolen information to make fraudulent transactions, or in some cases, they sell the information to earn money. 

Threat campaign

ZLoader was first emerged in 2015. Since its first appearance, it has made several comebacks with new dubious campaigns. It is often sold on the dark web and underground forums to hackers for as low as $500. The Trojan has kept a low profile in the past, but in the last few months after the world started to face the CONVID-19 crisis.


As mentioned earlier, the Zloader malware is based on Zeus. This is a highly notorious Trojan threat that emerged in early 2010. Due to its source code leak in 2011, many cyber-criminals used its base to built various new variants of it. And Zloader is one of them.

Earlier, the Zloader had a low-profile, however was being used in various attack campaigns and is continuing as a info-stealer since then.


From June 2016 to February 2018, the Zloader was at its peak, and spread widely by several hacking groups. One of them was TA511, also known as MAN1 or Moskalvzapoe. The then variant of the threat had a module that helps to download the banking malware component. As well as run the program using command-and-control server.

2018 In continuation:-

A new variant was out in the 2018, that was not the actual continuation of the earlier, version, rather a fork derived from it. So, there were some of the modules or functions missing like code obfuscation and string encryption so on.

However, there were some new functions added like “anti-analysis mechanisms.” Due to which, it makes detection and reverse engineer a difficult process.

December 2019:-

However, the current variant of the Zloader is still in developing phase, there were 25 versions of the malware that was observed till December 2019. While the recent one was spotted in March 2020.


Amid the corona-virus crisis, the hackers are carrying out various spam campaigns to spread malware. Even in past three months the security researcher observed higher rate of cyber-attack.

ZLoader Uses convid-19 phishing scam

ZLoader Uses convid-19 phishing scam

A spam campaign spotted in March, in which a malicious email uses convid-theme emails that warns users about coronavirus scams. As well as ask users to know about it by clicking on link containing “President Coronavirus guidance.”

A similar COVID-19 email spam campaigns resurfaced in April. The spammers were spreading spam emails  pretending to be as a pandemic relief groups.

In recent campaign the hackers uses CV-theme email campaigns to drop Zloader banking Trojan.

Means of propagation of ZLoader

Although, there are various infection vector that helps to propagate the Zloader malware. Among, which spam email campaign laden with malicious attachments are the common one.  Other than that, pirated software downloads, fake updates, spam links in the compromised websites, and exploit kits are the common distribution tactics.

Fake warnings showing missing font On the Web browsers used to spread Zloader malware:

When a user visits the malicious website, ZLoader will show a message that the web page cannot load correctly because of a missing font “Roboto Condensed.” It asks the user to download and install the font using Font Pack based on the browser being used.

ZLoader fake font distribution campaign

ZLoader fake font distribution campaign

The “Roboto Condensed” font wasn’t found.
The website you are trying to load is displayed incorrectly, as it uses the “Roboto Condensed” font. To fix the error and display the text, you have to update “Chrome Font Pack”.
Manufacturer: Google Inc. All Rights Reserved
Current Version: [version] Latest version: [version]

If you are using Mozilla, it will show Mozilla font packs and if you are using Chrome, it will show Chrome font packs. If the user chooses to download the “font,” it will run a JavaScript file and install ZLoader on your system.

As mentioned, this program tricks people into downloading and installing a file masked as a font. While the user thinks that will load the page smoothly, in the background, the malware starts to spread on the system.

Cybercriminals also use third party downloads, peer-to-peer networks such as torrent clients, free file hosting websites, and other dubious channels to spread this Trojan.

Cyber-criminals Uses Spam Campaigns to spread Zloader Trojan:

They send an email that contains attachments or website links with malicious code. If the user opens the file, the malicious program start to install in the background.

Once your computer is infected with ZLoader, it will install additional malware. If your system has out-of-date programs, it may show an error message and tell you to update your system that will download additional malware.

Cybercriminals also use software ‘cracking’ tools and patches that are meant to bypass the activation of paid software to spread malicious applications.

Modular Structure of ZLoader Malware

The distribution package contains several DLL files out of which some are malicious, and some are harmless that act as helpers.

loader-bot32.dll/.exe is the main installer of the core element.

Other files with malicious files include:

antiemule-loader-bot32.dll/.exe, bot32.dll, bot64.dll, hvnc32.dll, hvnc64.dll.
The harmless helper DLL files include zlib1.dll, libssl.dll, sqlite3.dll, and 
nss32.dat that contain several harmless PEs, including certutil.exe, libplds4.dll, 
msvcr100.dll, nss3.dll, sqlite3.dll, nssdbm3.dll, libnspr4.dll, smime3.dll, nssutil3.dll, 
nspr4.dll, softokn3.dll, freebl3.dll, and libplc4.dll.

Attack Motives Of Zloader

Once you have executed the file with malicious code, the Trojan will take the WScript.exe process that will allow it to contact its Command and Control server.

Further, it will retrieve a malicious DLL file from the server that is often self-signed to avoid detection by anti-malware software.

After which, the program will place the DLL file in the %SYSTEMDRIVE% folder and will launch itself with the help of a legitimate Regvsr32.exe file.

After execution, it will place thousands of files in the %AppData% folder. Next step is modifying the system registry to ensure persistence.

Once it gains complete persistence on the host machine, the Zloader will auto-launch itself each time the system boots. As said above, the banking Trojan can perform the following functions:

  • Apply patch to various Windows processes like ( Windows Explorer (explorer.exe), Google Chrome (chrome.exe), Mozilla Firefox (forefox.exe), and Internet Explorer (iexplorer.exe).). In order to take over web browsers to steal banking credentials.
  • Loads malicious codes in the memory that makes it even harder to detect and remove.
  • Install additional malware and applications such as Zbot. The malware along with Zbot is capable to gather all the sensitive information on the compromised computer.
  • Perform man-in-the-middle attacks

How to detect and remove ZLoader on your computer?

It is hard to detect ZLoader unless you face some attack in the form of unauthorized access attempts to your banking portals and business accounts.

However, to suspect a malware on your computer, there are some signs which you should not ignore:

  • Applications does not load properly;
  • System showing exception errors;
  • High CPU and memory usage;
  • Browser redirects to questionable sites;
  • Unknown process running in the task manager.

What To do If Infected With Zloader?

First of all scan your system with reputable anti-malware program to detect and remove the virus permanently.

  • Change passwords of bank accounts
  • Create strong passwords and enable two-factor-authentication whenever possible, to avoid any loss.
  • Install reputable anti-virus software like HitmanPro, MalwareBytes or Spyhunter 5 are capable of detecting and removing malware from your system.
  • Do not click on any link or open an email from an unknown source.

Please note that such deadly Trojan can run silently in the background. Thus, it is important to stay vigilant and keep an eye on your online transaction history.

Protect your computer with HitmanPro Now

Although, it is very important to enable 2FA on your accounts, and use strong passwords. But to keep the passwords secure you should use a reputable Password Manager tool like Dashlane(Review).

Dashlane Password Manager tool

Dashlane Password Manager tool

To secure Your Digital Wallets download DashLane Password Manager Now.

More From Unboxhow