Check Point Research identifies a new malware campaign that uses Microsoft's digital signature verification to steal credentials
Check Point Research (CPR), the threat intelligence division of Check Point Software Technologies, has identified a new malware campaign that leverages Microsoft's digital signature verification to steal user credentials and sensitive information. Called Zloader, the malware has affected over 2,000 victims in 111 countries. CPR attributes the campaign, which dates back to November 2021, to the cybercriminal group MalSmoke. Zloader is known to be a ransomware transmission tool, including Ryuk and Conti. In particular, it should be noted: • 2170 victims in 111 countries • Most of the victims reside in the United States (40%), followed by Canada and India • CPR urges users to implement Microsoft's update for rigorous Authenticode verification, as the update is not applied by default The protagonist of this new malware campaign that uses Microsoft's digital signature verification to steal sensitive data from victims is precisely Zloader, a banking trojan that uses the web injection technique to steal cookies, passwords and any sensitive information. Zloader is already known to be a ransomware transmission tool and entered CISA's radar in September 2021 as a threat in the distribution of Conti ransomware. During the same month, Microsoft reported that Zloader authors were buying keyword advertising on Google to distribute various types of malware, including Ryuk ransomware. Today CPR released a report explaining the reappearance of Zloader in a campaign by the cybercriminal group MalSmoke, which took over 2,000 victims in 111 countries. Obviously CPR has informed Microsoft and Atera of its findings and recommends these simple guidelines to all: 1. Apply Microsoft's update for rigorous Authenticode verification. It is not applied by default. 2. Do not install programs from unknown sources or sites 3. Never click on unknown links or attachments that you receive in the mail. How does the chain of infection take place? 1. The attack begins with the installation of a remote management program that pretends to be a Java installation 2. After this installation, the hacker has full access to the system and is able to upload / download files and even run scripts; then the hacker loads and runs some scripts that download other scripts that run mshta.exe with the appContast.dll file as a parameter 3. The appContast.dll file is signed by Microsoft, although more information has been added to the end of the file 4. The added information downloads and runs the final Zloader payloader, stealing the user's credentials and the victims' private information Victims of the malware campaign So far, the CPR has identified 2,170 victims. Most of the victims reside in the United States, followed by Canada and India.
Figure 2. # Number of victims by countryKobi Eisenkraft, Malware Researcher at Check Point Software Technologies, said: “People need to know that they can't immediately trust a file's digital signature. What we found is a new Zloader campaign that leverages Microsoft's digital signature verification to steal sensitive user information. We started seeing evidence of the new campaign around November 2021. The attackers, which we attribute to MalSmoke, are attempting to steal user credentials and victims' private information. So far, we have counted more than 2,000 victims in 111 countries. It appears that the authors of the Zloader campaign have put a lot of effort into breaking down the defenses and are still updating their methods weekly. I strongly urge users to apply Microsoft's update with rigorous Authenticode verification, as it is not applied by default. " More information on this discovery can be found on the Check Point Software Technologies blog: https://research.checkpoint.com/2022/can-you-trust-a-files-digital-signature-new-zloader-campaign-exploits-microsofts -signature-verification-putting-users-at-risk /
COMMENT: see our system of blocking suspicious links on another page of the site