‘Malsmoke’ Exploits Microsoft’s E-Signature Verification

Threat actors are exploiting Microsoft’s digital signature verification to steal user credentials and other sensitive information by delivering the ZLoader malware, which previously has been used to distribute Ryuk and Conti ransomware, researchers have found.

Researchers at Check Point Research (CPR) discovered the cybercriminal group Malsmoke delivering the campaign, which they traced back to November 2021, according to a report posted online Wednesday.

“What we found was a new ZLoader campaign exploiting Microsoft’s digital signature verification to steal sensitive information of users,” warned Kobi Eisenkraft, a malware researcher at CPR. “People need to know that they can’t immediately trust a file’s digital signature.”

Attackers already have claimed 2,170 unique victims in 111 countries, mainly in the United States, Canada and India.

Moreover, attackers are updating attack methods “on a weekly basis” in an evolving campaign that remains very much active, Eisenkraft said.

ZLoader is a banking trojan that uses web injection to steal cookies, passwords and other sensitive information from victims’ machines. It attracted the attention of the Cybersecurity Infrastructure and Security Agency (CISA) in September 2021 as a threat in the distribution of Conti ransomware, according to CPR. It also has been used to deliver the Ryuk ransomware.

Attackers also used ZLoader as the payload in multiple spearphishing campaigns, including one in March 2020 that aimed to take advantage of the outbreak of the COVID-19 pandemic.

In September 2021, attackers spread ZLoader via Google AdWords in a campaign that used a mechanism to disable all Windows Defender modules on victim machines.

Java Impersonators

For its part, Malsmoke previously used ZLoader to target people visiting adult pornography sites in November 2020 in a campaign that delivered the trojan through fake Java updates.

The latest campaign by the criminal group also leverages Java in its attack vector, starting its nefarious activity by installing a legitimate remote management program that impersonates a Java installation, according to CPR.

Once this occurs, the attacker has full access to the system and is able to upload/download files and also run scripts, which it proceeds to do, researchers said.

Eventually, attackers run a file called mshta.exe with the file appContast.dll as the parameter – which appears to be a Microsoft trusted file – to deliver the payload.

“The file appContast.dll is signed by Microsoft, even though more information has been added to the end of the file,” according to the report. “The added information downloads and runs the final Zloader payload, stealing user credentials and private information from victims.”

Attackers “have put great effort into defense evasion,” Eisenkraft said, making it difficult to detect the malicious campaign. According to the report, CPR has informed Microsoft and Atera, maker of a remote management and monitoring tool, of its findings.

CPR advises that Microsoft users apply the company’s update for strict Authenticode verification immediately to avoid falling victim to the campaign, especially since “it is not applied by default,” Eisenkraft warned.

People also should follow the typical common-sense security practices to avoid installing programs from unknown sources or sites, clicking on unfamiliar links or opening unfamiliar attachments they receive in emails, CPR advised.

Password Reset: On-Demand Event: Fortify 2022 with a password-security strategy built for today’s threats. This Threatpost Security Roundtable, built for infosec professionals, centers on enterprise credential management, the new password basics and mitigating post-credential breaches. Join Darren James, with Specops Software and Roger Grimes, defense evangelist at KnowBe4 and Threatpost host Becky Bracken. Register & stream this FREE session today – sponsored by Specops Software.