An ongoing ZLoader malware campaign has been uncovered exploiting remote monitoring tools and a nine-year-old flaw concerning Microsoft’s digital signature verification to siphon user credentials and sensitive information.
Israeli cybersecurity company Check Point Research, which has been tracking the sophisticated infection chain since November 2021, attributed it to a cybercriminal group dubbed MalSmoke, citing similarities with previous attacks.
“The techniques incorporated in the infection chain include the use of legitimate remote management software (RMM) to gain initial access to the target machine,” Check Point’s Golan Cohen said in a report shared with The Hacker News. “The malware then exploits Microsoft’s digital signature verification method to inject its payload into a signed system DLL to further evade the system’s defenses.”
A banking trojan at its core, ZLoader has been employed by many an attacker to steal cookies, passwords, and other private information from victims’ machines, not to mention gaining notoriety for acting as a distribution framework for Conti ransomware, according to an advisory published by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) in September 2021.
The campaign is said to have claimed 2,170 victims across 111 countries as of January 2, 2022, with most of the affected parties located in the U.S., Canada, India, Indonesia, and Australia. It’s also notable for the fact that it wraps itself in layers of obfuscation and other detection-evasion methods to elude discovery and analysis.
The attack flow commences with tricking users into installing a legitimate enterprise remote monitoring software called Atera, using it to upload and download arbitrary files as well as execute malicious scripts. However, the exact mode of distributing the installer file remains unknown as yet.
images from Hacker News