January 23, 2022

TheCyberThrone

Thinking Security ! Always

Microsoft Signature Verification Malsmoked !

A new malware campaign that has already stolen passwords and user information from over 2000 victims in 111 countries worldwide, researchers warn.

ZLoader is a known banking Trojan that uses web injection to steal cookies, passwords, and sensitive information. It has also been linked to the delivery of the infamous Conti and Ryuk ransomware variants.  In the past, ZLoader has been delivered via both traditional phishing email campaigns and abuse of online advertising platforms, where attackers purchase ads pointing to legitimate-looking websites hosting the malware.

Advertisements

The new campaign, connected to a cybercrime group Malsmoke, begins with the installation of a legitimate remote management program from Atera pretending to be a Java installation. This provides the attacker full access to the targeted system, enabling them to upload and download files and run additional scripts. One of these scripts purportedly runs “mshta.exe” with the file “appContast.dll” as the parameter.

Although appContast.dll is signed by Microsoft, the attackers found a way to exploit the firm’s digital signature verification method to add extra information to the file. This info downloads and runs the final Zloader payload.

People need to know that they can’t immediately trust a file’s digital signature. What we found was a new ZLoader campaign exploiting Microsoft’s digital signature verification to steal the sensitive information of users. ZLoader campaign authors put great effort into defense evasion and are still updating their methods on a weekly basis. Its strongly recommended users to apply Microsoft’s update for strict Authenticode verification. It is not applied by default.

Researchers added

Users were also urged not to install programs from unknown sources and not to click on links or open attachments in unsolicited messages. It’s unknown exactly how this campaign is being disseminated, but the largest group of victims are in the US (40%), followed by Canada (14%) and India (6%)

Advertisements

Indicators Of Compromise

Url https://asdfghdsajkl[.]com/gate.php
Url https://iasudjghnasd[.]com/gate.php
Url https://kdjwhqejqwij[.]com/gate.php
Url https://kjdhsasghjds[.]com/gate.php
Url https://dkisuaggdjhna[.]com/gate.php
Url https://dquggwjhdmq[.]com/gate.php
Url https://lkjhgfgsdshja[.]com/gate.php
Url https://daksjuggdhwa[.]com/gate.php
Url https://eiqwuggejqw[.]com/gate.php
Url https://djshggadasj[.]com/gate.php
Java.msiB9D403D17C1919EE5AC6F1475B645677A4C03FE9
new.bat0926F8DF5A40B58C6574189FFB5C170528A6A34D
new1.bat9F1C72D2617B13E591A866196A662FEA590D5677
new2.batDE0FA1529BC652FF3C10FF16871D88F2D39901A0
9092.dllA25D33F3F8C2DA6DC35A64B16229D5F0692FB5C5
Adminpriv.exe3A80A49EFAAC5D839400E4FB8F803243FB39A513
appContast.dll117318262E521A66ABA4605262FA2F8552903217
reboot.dllF3B3CF03801527C24F9059F475A9D87E5392DAE9
auto.bat3EA3B79834C2C2DBCE0D24C73B022A2FF706B4C6
Domainhttp://www.teamworks455[.]com
Defenderr.bat1CA89010E866FB97047383A7F6C83C00C3F31961
Load.batF3D73BE3F4F5393BE1BC1CF81F3041AAD8BE4F8D
%d bloggers like this: