Info-Stealing Malware Hits 100+ Countries

Researchers warn of a new malware campaign that has already stolen passwords and user information from over 2000 victims in 111 countries worldwide.

ZLoader is a known banking Trojan that uses web injection to steal cookies, passwords, and sensitive information. It has also been linked to the delivery of the infamous Conti and Ryuk ransomware variants.

In the past, ZLoader has been delivered via both traditional phishing email campaigns and abuse of online advertising platforms, where attackers purchase ads pointing to legitimate-looking websites hosting the malware.

The new campaign, attributed to cybercrime group Malsmoke, begins with the installation of a legitimate remote management program from Atera pretending to be a Java installation, according to Check Point.

This provides the attacker full access to the targeted system, enabling them to upload and download files and run additional scripts. One of these scripts purportedly runs “mshta.exe” with the file “appContast.dll” as the parameter.

Although appContast.dll is signed by Microsoft, the attackers found a way to exploit the firm’s digital signature verification method to add extra information to the file. This info downloads and runs the final Zloader payload, according to Check Point.

Malware researcher, Kobi Eisenkraft, explained that the Check Point team first spotted the campaign in November.

“People need to know that they can’t immediately trust a file’s digital signature. What we found was a new ZLoader campaign exploiting Microsoft’s digital signature verification to steal the sensitive information of users,” he added.

“All in all, it seems like the ZLoader campaign authors put great effort into defense evasion and are still updating their methods on a weekly basis. I strongly urge users to apply Microsoft’s update for strict Authenticode verification. It is not applied by default.”

Users were also urged not to install programs from unknown sources and not to click on links or open attachments in unsolicited messages.

It’s unknown exactly how this campaign is being disseminated, but the largest group of victims are located in the US (40%), followed by Canada (14%) and India (6%)

What’s Hot on Infosecurity Magazine?