Η Check Point Research (CPR) notices new malware campaign exploiting its digital signature verification Microsoft to steal victims' sensitive information.
By name ZLoader, malware is a banking software trojan that uses web injection to steal cookies, passwords and any sensitive information.
The ZLoader it has become known that in the past it has carried ransomware and was found on her radar CISA in September 2021 as a method responsible for its distribution ransomware Conti. During the same month, the Microsoft stated his operators ZLoader bought ads with its keywords Google to distribute various malware executives, including Ryuk ransomware.
Today, the CPR publishes a report detailing its reappearance ZLoader in a campaign that has taken over 2.000 victims in 111 countries. THE CPR attributes the campaign to the cyber criminal group MalSmoke.
1. The attack begins with the installation of a legitimate remote management program that pretends to be an installation Java
2. After this installation, the perpetrator has full access to the system and can upload / download files and also execute scripts, so the attacker uploads and executes some scripts that download more scripts that run the mshta.exe with the file appContast.dll as a parameter
3. The file appContast.dll is signed by Microsoft, although more information has been added to the end of the file
4. The additional information downloads and executes the final payload zloader, stealing user credentials and personal information from victims
Figure 1. Simplified image of the infection chain
So far, the CPR has recorded 2170 unique victims. Most of the victims live in the United States, followed by Canada and India.
Figure 2. Number of victims per country
CPR estimates that the cybercriminals behind the campaign are Malsmoke, given some similarities to previous campaigns.
CPR informed Microsoft and Atera of its findings.
Ο Kobi Eisenkraft, Malware Researcher of Check Point said:
"People need to know that they can not immediately trust the digital signature of a file. What we found was a new ZLoader campaign that takes advantage of Microsoft Digital Signature Verification to steal sensitive user information. We first started seeing elements of the new campaign around November 2021. The attackers, to whom we attribute the attack, are MalSmoke, who seek to steal users' credentials and personal information from the victims. So far, we have counted more than 2.170 victims in 111 countries and we continue. Overall, it seems that the perpetrators of the Zloader campaign are making great efforts to avoid detection and continue to update their methods on a weekly basis. I urge users to apply the Microsoft Authenticode authentication update as it is not installed by default. "
1. Apply the Microsoft Update for strict Authenticode verification. Not applicable by default.
2. Do not install programs from unknown sources or sites.
3. Do not open links and unknown attachments that you receive by mail.