IBM Security researchers have discovered a new form of overlay malware targeting online banking users. Dubbed ZE Loader, is a malicious Windows application that attempts to obtain financial data from victims by establishing a back door connection. However, unlike the typical banking Trojans, the ZE loader employs multiple stealth tactics to remain hidden, and stores permanent assets on infected devices.

The malware is targeting banks, online payment processors, and cryptocurrency exchanges and is able to interact with the victim’s device in real-time, thereby greatly enhancing the finesse of the whole operation. Once the victim falls into the trap, the attacker is notified in real-time and can take over the system remotely. Upon installation, the malware performs the steps listed below: 

• It ensures that the Trojan is running with administrator permissions. 

• It establishes a Remote Desktop Protocol (RDP) connection to the command-and-control server. 

• ZE Loader enables multiple RDP connections on the infected device by exploiting with the Windows Registry. 

• The malware also designs a new user account with the name Administart0r and password 123mudar. 

• Finally, the malware makes sure to allow RDP connections through the Windows Firewall. 

In the meantime, the malware will also plant some files on the victim’s device. Some of these are created to loosen the security measures, while a JDK_SDK file carries all of the assets that malware uses during its attack. This is rather uncommon – typically, Trojans that execute overlay attacks fetch their images and phishing pages from the remote server. However, this malware stores all of these assets in an encrypted state on the victim’s machine. 

The malware actively monitors newly opened processes and active browser sessions. If it spots that the victim is trying to load one of the supported online banking sites or an app that the Trojan targets, the attacker will receive a notification. Once the attackers connect via RDP, they can begin to implement commands. Usually, that would display the phishing assets from the JDK_SDK file that the ZE Loader brought along. The attackers are able to play out various scenarios to obtain data. For example, they could ask the victim for login credentials, credit card data, two-factor authentication, and more.

While the ZE Loader does not implement the most sophisticated overlay attack, it is still a very dangerous piece of malware. Protect your Windows systems from such attacks by using up-to-date antivirus tools and also make sure to learn how to browse the Web safely, researchers advised.