ZLoader steals cookies, passwords etc.

Η Research (CPR) notices new malware campaign exploiting its digital signature verification Microsoft to steal victims' sensitive information. zloader

By name ZLoader, malware is a banking software trojan that uses web injection to steal cookies, codes and any sensitive .

The ZLoader it has become known that in the past it has carried ransomware and was found on her radar CISA in September 2021 as a method responsible for its distribution Conti ransomware. During the same month, the Microsoft stated his operators ZLoader bought ads with its keywords Google to distribute various malware executives, including Ryuk ransomware.

Today, the CPR publishes a report detailing its reappearance ZLoader in a campaign that has taken over 2.000 victims in 111 countries. THE CPR attributes the campaign to the cyber criminal group MalSmoke.

Infection chain

1. The attack begins with the installation of a legitimate remote management program that pretends to be an installation Java

2. After this installation, the perpetrator has full access to the system and can upload/download and also run scripts, so the attacker uploads and executes some scripts that download more scripts running the mshta.exe with the file appContest.dll as a parameter

3. The file appContest.dll is signed by Microsoft, although more information has been added to the end of the file

4. The additional information downloads and executes the final payload zloader, stealing user credentials and personal information from victims

Figure 1. Simplified image of the infection chain

picture1

Victims

So far, the CPR has recorded 2170 unique victims. Most of the victims live in the United States, followed by Canada and India.

Figure 2. Number of victims per country

zloadervictims

Report:

Η CPR εκτιμά ότι οι εγκληματίες του κυβερνοχώρου πίσω από την εκστρατεία είναι οι Malsmoke, ορισμένων ομοιοτήτων με προηγούμενες εκστρατείες.

Revelation:

CPR informed Microsoft and Atera of its findings.

Ο Kobi Eisenkraft, Malware Researcher of Check Point said:

"People need to know that they can not immediately trust the digital signature of a file. What we found was a new ZLoader campaign that takes advantage of Microsoft Digital Signature Verification to steal sensitive user information. We first started seeing elements of the new campaign around November 2021. The attackers, to whom we attribute the attack, are MalSmoke, who seek to steal users' credentials and personal information from the victims. So far, we have counted more than 2.170 victims in 111 countries and we continue. Overall, it seems that the perpetrators of the Zloader campaign are making great efforts to avoid detection and continue to update their methods on a weekly basis. I urge users to apply the Microsoft Authenticode authentication update as it is not installed by default. "

Security tips

1. Apply the Microsoft Update for strict Authenticode verification. Not applicable by default.

2. Do not install programs from unknown sources or sites.

3. Do not open links and unknown attachments that you receive by mail.

iGuRu.gr The Best Technology Site in Greecefgns

every publication, directly to your inbox

Join the 2.100 registrants.
zloader, Check Point Research, iguru

Written by newsbot

Although the press releases will be from very select to rarely, I said to go ... because sometimes the authors are hiding.

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).