WatchGuard Blog

Malware Dropped Through Google Ads Targeting Banks

Banks continue to be a top target for cyber criminals. As we indicated in our blogpost on the risks to financial services networks, in 2020 alone there were more than 1,500 cyberattacks on banks, and in recent months,  we’ve seen incidents such as the cyberattack on the New Zealand Federal Reserve and against the largest bank in Ecuador. Now, a new threat has emerged, and the main targets are Australian and German banks

We previously reported that members of US intelligence agencies have confirmed that they routinely use ad blockers in their web browsers since more and more hackers are using ads to spread malware. Recently, Microsoft and the CISA agency issued a warning that confirms this: Zloader, a tool used to inject malware into systems, has used Google Adsense ads as an entry vector. According to the Redmond company, Zloader operators bought Adsense ads to distribute other malware, including the dangerous Ryuk.

The ads appeared to be installing a legitimate Java-based application but downloaded Zloader instead. To avoid raising any suspicions at Google, the cybercriminals also registered a front company to be able to operate the malicious files in Adsense, which were also encrypted.

Cybersecurity analysts are concerned that more traditional vectors such as email have been replaced by Adsense: although this technique is not new, they consider the threat to be serious. This campaign has been targeted at the financial sector, but it could reach billions of users by using Google as a search engine.

Zloader Cyberattack Diagram
 Microsoft Security Intelligence: Zloader Cyberattack Diagram

Stealthier Zeus variant

Zloader is a banking Trojan which is a variant of Zeus, malware that has hit banking institutions since 2006. It injects malicious web code to steal cookie data, credentials, and other sensitive information.

But, according to cybersecurity analysts, this variant now has much stealthier distribution mechanisms, which makes it less likely to be detected by more traditional security solutions. In addition, the latest versions analyzed have a feature that disables Windows Defender, the default antivirus for Windows operating systems.

Full Visibility and Protected Endpoints

Zloader demonstrates that cybersecurity solutions that come by default with operating systems and the most traditional ones are not enough to protect us from new threats. Therefore, in this context, banks need their MSPs to provide them with additional tools that deliver full visibility through a reliable platform for the effective management of all their security services. 

This malware also proves that, although cybersecurity awareness is essential to prevent users from falling for social engineering scams, this awareness alone is not enough. Organizations must have an extra layer of security with technologies that enable them to detect sophisticated cyberattacks at endpoints and threats that evade more traditional anti-virus solutions. WatchGuard EPDR provides comprehensive EPP and EDR protection, as well as threat scanning services and Zero Trust applications, all managed from a single Cloud-based platform.  As a result, banks will be able to significantly reduce the chances of cyber threat actors gaining access through atypical entry vectors, such as Google ads.