I. Targeted Entities

  • Online bank users

II. Introduction

An information-stealing campaign using ZLoader malware, which has been previously used to deliver other ransomware, has already claimed over 2,000 victims across more than 100 countries.

III. Background Information

Researchers at Check Point Research (CPR) discovered that the cybercriminal group “Malsmoke” has been taking advantage of Microsoft’s digital signature verification to steal user credentials and other sensitive information by delivering the ZLoader malware, which has also been used to distribute Ryuk and Conti ransomware in the past. (2) The threat actors have already claimed 2,170 victims in 111 countries, mainly in the U.S., Canada, and India.

ZLoader is a banking trojan that uses web injection to steal cookies, passwords, and other sensitive information from victims’ machines. (2) In September 2021, it caught the attention of the Cybersecurity Infrastructure and Security Agency (CISA) as a threat in the distribution of Conti and Ryuk ransomware. Attackers also used ZLoader as the delivery vehicle in multiple spearphishing campaigns, most notably at the beginning of the COVID-19 pandemic in March 2020. Again, in September of 2021, attackers spread ZLoader via Google AdWords in a campaign that used a tool to disable all Windows Defender modules on victims’ machines. (2)

This latest malware campaign by Malsmoke leverages Java in its attack vector, starting its illicit activity by installing a legitimate remote management program that acts as a Java installation. Once this happens, the attacker has full access to the victim machine and is able to upload and download files as well as run scripts. In time, attackers run a file called mshta.exe with the file appContast.dll as the parameter (which appears to be a Microsoft trusted file) to deliver the payload. CPR researchers say that appContast.dll is signed by Microsoft, even though extra information has been added to the end of the file. CPR researchers also say that, “the added information downloads and runs the final Zloader [sic] payload, stealing user credentials and private information from victims.”

Kobi Eisenkraft, a malware researcher at CPR, says that attackers have put in a great effort to evade detection. CPR has informed Microsoft and Altera, the maker of a remote management and monitoring tool, of their findings. CPR advises that Microsoft users apply Microsoft’s update for strict Authenticode verification immediately to avoid falling victim to the campaign. CPR also advised that people follow typical common-sense security practices to avoid installing programs from unknown sources, clicking on unfamiliar links, or opening unfamiliar attachments they receive in emails.

IV. MITRE ATT&CK

  • T1204 – User Execution
    ZLoader relies upon specific actions by a user in order to gain execution.
  • T1036 – Masquerading
    ZLoader attempts to manipulate features of their artifacts to make them appear legitimate or benign to users and security tools.
  • T1112 – Modify Registry
    ZLoader interacts with the Windows Registry to hide configuration information within Registry keys, and to aid in execution.
  • T1041 – Exfiltration Over C2 Channel
    ZLoader steals data by exfiltrating the data over an existing command and control server.

For more MITRE ATT&CKs, please confer the MITRE ATT&CK table in the attached CPR report: https://research.checkpoint.com/2022/can-you-trust-a-files-digital-signature-new-zloader-campaign-exploits-microsofts-signature-verification-putting-users-at-risk/

V. Recommendations

  • Phishing Awareness Training
    Users should be informed and educated about new kinds of phishing scams currently being used and ones that have been used in the past. Awareness training should instruct users to avoid suspicious emails, links, websites, attachments, etc. Users should also be educated about new types of attacks and schemes to mitigate risk.
    Recommended link: https://www.us-cert.gov/ncas/tips/ST04-014
  • Set Antivirus Programs to Conduct Regular Scans
    Ensure that antivirus and anti-malware programs are scanning assets using up-to-date signatures.
  • Monitor Malware
    Continuously monitor current and new types of malware. Stay up to date on intel and advancements to prevent, defend, and mitigate these types of threats.
  • Implement Strong Cyber Hygiene
    Enforce a strong password policy across all networks and subsystems. Remind users to be wary of any messages asking for immediate attention, links, downloads, etc. All sources should be verified.
    Recommended link: https://us-cert.cisa.gov/ncas/alerts/aa21-131a
  • Turn on Endpoint Protection
    Enable endpoint detection and response (EDR) to stop unknown malware in the product you’re using.

VI. Indicators of Compromise (IOCs)

The link below has been included to assist with the download of some identified IOCs related to this Threat Advisory report. Be on the lookout for these IOCs, as well as anything that looks similar.

https://usf.box.com/s/etguhg3nrjxrag2km48awhxlvxlg6p81

VII. References

(1) Cohen, Golan. “Can You Trust a File’s Digital Signature? New Zloader Campaign Exploits Microsoft’s Signature Verification Putting Users at Risk.” Check Point Research, January 5, 2022. https://research.checkpoint.com/2022/can-you-trust-a-files-digital-signature-new-zloader-campaign-exploits-microsofts-signature-verification-putting-users-at-risk/.

(2) Montalbano, Elizabeth. “’Malsmoke’ Exploits Microsoft’s E-Signature Verification.” Threatpost English Global, January 5, 2022. https://threatpost.com/malsmoke-microsoft-e-signature-verification/177363/.

Threat Advisory created by The Cyber Florida Security Operations Center. Contributing Security Analysts: Dorian Pope, Ipsa Bhatt, Sreten Dedic, EJ Bulut, Uday Bilakhiya, Tural Hagverdiyev.