Cybersecurity analysts from Check Point Research have discovered a new campaign for cybercriminals that uses verification Microsoft e-Signature. To date, its victims have been more than 2,170 people from 111 countries. Most of those infected come from the United States (40%) and Canada (14%). Turns out they were also among the victims Polish users (less than 1%).

Check Point Research experts attribute the campaign to the cybercriminal group MalSmoke, which used a well-known Trojan to carry out the operation ZLoader. This tool has so far been used in attacks on electronic banking, while since September 2021 it has been on the radar of CISA (US Cybersecurity and Infrastructure Security Agency) as a distributor of Conti Ransomware and various strains of Ryuk ransomware.

Please note that you cannot trust the digital signature of the file immediately. What we found was a new ZLoader campaign that uses Microsoft’s digital signature verification to steal users’ sensitive information. We started noticing the first evidence of a new campaign around November 2021. It targets the attackers we’ve linked to the MalSmoke group Theft of victims’ credentials and private information. So far, we have counted more than 2,000 victims in 111 countries. The authors of the Zloader campaign seem to have gone to great lengths to avoid security systems and update their methods every week, notes Kobi Eisenkraft, a malware researcher at Check Point Research.

The attack begins with the installation of a legitimate remote administration program pretending to be a Java installation. After it is made, the attacker does Full access to the system It is able to upload/download files as well as run scripts. The attacker sends and runs several scripts that download successive scripts that run mshta.exe with appContast.dll as a parameter. The appContast.dll file is signed by Microsoft, although more information has been added to the end of the file. The added information causes the final Zloader to download and launch, which Steals user credentials and victim information.

Check Point Research reported their findings to Microsoft and Atera. The company has also issued a recommendation to use a Microsoft update to thoroughly check the authentication code. Unfortunately, it is not implemented by default. At the same time, experts warn against installing programs from unknown sources or sites and not clicking on unknown links and attachments that you receive by mail.


Press INTERIA.PL/Informacja