Microsoft Signature Verification Malsmoked !
Share this:
A new malware campaign that has already stolen passwords and user information from over 2000 victims in 111 countries worldwide, researchers warn.
ZLoader is a known banking Trojan that uses web injection to steal cookies, passwords, and sensitive information. It has also been linked to the delivery of the infamous Conti and Ryuk ransomware variants. In the past, ZLoader has been delivered via both traditional phishing email campaigns and abuse of online advertising platforms, where attackers purchase ads pointing to legitimate-looking websites hosting the malware.
The new campaign, connected to a cybercrime group Malsmoke, begins with the installation of a legitimate remote management program from Atera pretending to be a Java installation. This provides the attacker full access to the targeted system, enabling them to upload and download files and run additional scripts. One of these scripts purportedly runs “mshta.exe” with the file “appContast.dll” as the parameter.
Although appContast.dll is signed by Microsoft, the attackers found a way to exploit the firm’s digital signature verification method to add extra information to the file. This info downloads and runs the final Zloader payload.
People need to know that they can’t immediately trust a file’s digital signature. What we found was a new ZLoader campaign exploiting Microsoft’s digital signature verification to steal the sensitive information of users. ZLoader campaign authors put great effort into defense evasion and are still updating their methods on a weekly basis. Its strongly recommended users to apply Microsoft’s update for strict Authenticode verification. It is not applied by default.
Researchers added
Users were also urged not to install programs from unknown sources and not to click on links or open attachments in unsolicited messages. It’s unknown exactly how this campaign is being disseminated, but the largest group of victims are in the US (40%), followed by Canada (14%) and India (6%)
Indicators Of Compromise
| Url | https://asdfghdsajkl[.]com/gate.php |
| Url | https://iasudjghnasd[.]com/gate.php |
| Url | https://kdjwhqejqwij[.]com/gate.php |
| Url | https://kjdhsasghjds[.]com/gate.php |
| Url | https://dkisuaggdjhna[.]com/gate.php |
| Url | https://dquggwjhdmq[.]com/gate.php |
| Url | https://lkjhgfgsdshja[.]com/gate.php |
| Url | https://daksjuggdhwa[.]com/gate.php |
| Url | https://eiqwuggejqw[.]com/gate.php |
| Url | https://djshggadasj[.]com/gate.php |
| Java.msi | B9D403D17C1919EE5AC6F1475B645677A4C03FE9 |
| new.bat | 0926F8DF5A40B58C6574189FFB5C170528A6A34D |
| new1.bat | 9F1C72D2617B13E591A866196A662FEA590D5677 |
| new2.bat | DE0FA1529BC652FF3C10FF16871D88F2D39901A0 |
| 9092.dll | A25D33F3F8C2DA6DC35A64B16229D5F0692FB5C5 |
| Adminpriv.exe | 3A80A49EFAAC5D839400E4FB8F803243FB39A513 |
| appContast.dll | 117318262E521A66ABA4605262FA2F8552903217 |
| reboot.dll | F3B3CF03801527C24F9059F475A9D87E5392DAE9 |
| auto.bat | 3EA3B79834C2C2DBCE0D24C73B022A2FF706B4C6 |
| Domain | http://www.teamworks455[.]com |
| Defenderr.bat | 1CA89010E866FB97047383A7F6C83C00C3F31961 |
| Load.bat | F3D73BE3F4F5393BE1BC1CF81F3041AAD8BE4F8D |
