·8 min read
Late May 2022, a mysterious inconspicuous and steady malware campaign started to infect 1000s computers on a daily basis spreading all around the world — focusing heavily on Romania, Middle-East and South Asia Countries, while avoiding USA and Canada as much as possible.
Unlike other campaigns, this threat actor distributes any malicious payload it can get its hands on including variants of known tools like Zusi, Tiggre and Wacatac used as banking trojans, stealers and generic malware loaders. Versatility in payloads, password protected zip files, spear-phishing victims with deceptive download pages and hunderds of “disposable” domains are only part of the techniques used here to deceive and evade detection, while malvertising continues undisturbed.
ZipB — Quick Facts:Expected Damage: Banking, Social and Cloud Account TheftDaily Downloaded Malware Files: ~5000Infected devices per day: ~250–500Total Infected Devices (October 2022): ~50,000Malicious Payload: Variable variants of Zusi, Tiggre, Wacatac, etc.Payload Container: EXE or ZIP (with password “1234”)Malicious Domains in use: 500+ (changes every couple of hours)!First sighting: May 2022Geographical Distribution: World-Wide — Heavily Focused on Romania, Middle-East, and South Asia.Top Target Segments: Gaming, Streaming, Software Cracks, AdultPropagation Methods: MalvertisingDeceptive Download Pages to Gain Confidence
To propagate and push this kind of malware, one of the most popular techniques today is Malvertising — publishing deceptive ads using one or many of the legit ad networks active today. In this case, the ads are download landing pages trying to mimic the real download pages and content the visitor intended