Check Point’s Golan Cohen reported that , ” The techniques incorporated in the infection chain include the use of legitimate remote management software (RMM) to gain initial access to the target machine.” The malware then uses Microsoft’s digital signature verification method to inject its payload into a signed system DLL, allowing it to evade the system’s defences even further.”
An ongoing ZLoader malware campaign has been discovered, stealing user credentials and sensitive information by exploiting remote monitoring tools and a nine-year-old flaw in Microsoft’s digital signature verification.
Check Point Research, an Israeli cybersecurity firm that has been tracking the sophisticated infection chain since November 2021, has attributed it to a cybercriminal group known as MalSmoke, citing similarities with previous attacks.
As of January 2, 2022, the campaign was said to have claimed 2,170 victims across 111 countries, with the majority of those affected residing in the United States, Canada, India, Indonesia, and Australia. It’s also notable for eluding detection and analysis by wrapping itself in layers of obfuscation and other detection-evasion methods.
The attack begins by duping users into installing Atera, a legitimate enterprise remote monitoring software that is used to upload and download arbitrary files as well as execute malicious scripts. However, the exact method of distributing the installer file is still unknown.
This is completed by exploiting CVE-2013-3900, a WinVerifyTrust signature validation vulnerability that allows remote attackers to execute arbitrary code via specially crafted portable executables by making subtle enough changes to the file without invalidating the digital signature.
Finally Check Point malware researcher Kobi Eisenkraft concluded that ,” It appears that the ZLoader campaign authors put a great deal of effort into defence evasion and are still updating their methods on a weekly basis, advising users to avoid installing software from unknown sources and to use Microsoft’s strict Windows Authenticode signature verification for executable files.