ZE Loader

ZE Loader is another threatening malware that tries to obtain banking information from its victims via overlay attacks. However, unlike the typical banking Trojans, the ZE loader establishes a backdoor connection, employs various stealth techniques to remain hidden, and stores permanent assets on compromised devices. 

The threat is distributed as part of a legitimate software product. When the unsuspecting user launches the application, it triggers a DLL hijacking that loads a corrupted DLL to replace the original file named 'DVDSetting.dll.'

Establishing Its Presence

To evade detection from anti-malware solutions, the ZE Loader changes the names and extensions of its files. It also manipulates certain security settings to open unobstructed backdoor access to the device. In fact, it makes it possible for the threat actors to establish multiple RDP (Remote Desktop Protocol) connections. For example, it switches the following settings to 'true:'

HKLM\System\CurrentControlSet\Control\Terminal Server\fDenyTSConnection

HKLM\System\CurrentControlSet\Control\Terminal Server\Licensing Core\EnableConCurrentSessions

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipuleTSSession

Furthermore, the threat adds a new user account to the local area network settings. The intruder account is named 'Administart0r' and its  password is '123mudar.' The account also is injected into the local group 'administradores.'

Collecting Data

Once all of the preparations have been completed, the ZE Loader starts to monitor the victim's activity on the device. The malware waits for an appropriate online banking session to be authenticated or for the user to access a targeted banking application on the desktop. To achieve its goal, the ZE Loader monitors all running processes and kills the necessary ones.

To create the illusion that the legitimate application did, in fact, open, the malware displays a new window that contains application images corresponding to the targeted bank. These images are stored on the compromised device in the /JDK_SDK directory and are decrypted and loaded when needed. The information entered into the fake window is then obtained by the threat actors who can exploit it for financial fraud or other illicit activities.