“Double-barrelled” Zloader Attacks Disable Windows Defender to Evade Detection

An ongoing Zloader campaign utilises a new methodology to disable Microsoft Defender Antivirus. Formerly known as Windows Defender. Microsoft Defender Antivirus is currently running on over a billion instances of Windows 10, according to Microsoft’s own statistics.

The threat actors have begun to utilise various applications such as Discord, TeamViewer and Zoom advertisements on Google Ads, which redirect victims to fake download sites. The victim is then prompted to download a signed MSI installer, which will deliver the Zloader payloads.

More disturbingly, Zloader has also been used recently to deploy Ransomware strains such as Ryuk and Egregor. The malware includes functionality for persistence and remote access. Furthermore, it can be utilised as a dropper for other payloads.

The Impact

Successful infections can result in a threat actor using the infected host as a foothold, and potentially compromising an entire network. Due to Zloaders capabilities, they can deploy other malware, including ransomware and maintain persistence on the compromised system. Additionally, some Antivirus and EDR products may have a difficult time detecting infections in progress due to the use of a signed MSI and the abuse of legitimate binaries on windows systems.

The Remediation

There is no specific remediation for this malware strain, however, there are steps to take to reduce the likelihood of compromise:

• Keep Antivirus and EDR’s up to date, including the virus definitions.
• Only download products from official websites, advertisement campaigns are not always trustworthy.
• Ensure that application whitelisting is in place and configured so that only trusted applications are allowed to execute. This won’t defend against a signed binary, but it will ensure that the Zloader payload cannot utilise any additional malware samples, providing they aren’t also signed.

Source: Bleeping Computer