Powered by MOMENTUM MEDIA
cyber daily logo
Breaking news and updates daily. Subscribe to our Newsletter

Malsmoke threat actors leverage Microsoft signature loophole

Cyber criminal enterprise Malsmoke has leveraged a nine-year-old loophole in Microsoft Window’s e-signature verification offering, infecting an estimated 2,000 devices globally.

user icon
Tue, 11 Jan 2022
Malsmoke threat actors leverage Microsoft signature loophole
expand image

Cyber criminal enterprise Malsmoke has leveraged a nine-year-old loophole in Microsoft Window’s e-signature verification offering, allegedly infecting some 2,000 devices with the ZLoader malware.

According to cyber security researcher Golan Cohen from Check Point Research, the campaign began with the threat actors installing Atera on the device via the exploitable loophole. The Atera remote monitoring and management tool is a legitimate software used by managed service providers in over 75 countries.

“The infection starts with the installation of Atera software on the victim’s machine. Atera is a legitimate, enterprise remote monitoring and management software, designed for IT use. Atera can install an agent and assign the endpoint to a specific account using a unique .msi file that includes the owner’s email address,” Cohen said.

============
============

The threat actors were then able to upload files to the device remotely, in time enabling the gang to deploy the ZLoader payload. According to Cohen, this same loophole was leveraged by the Conti cyber criminal gang.

“Last seen in August 2021, ZLoader, a banking malware designed to steal user credentials and private information, is back with a simple yet sophisticated infection chain. Previous ZLoader campaigns, which were seen in 2020, used malicious documents, adult sites and Google ads to infect systems,” Cohen wrote on the Check Point website.

It is believed that the ZLoader malware is primarily employed by the threat actors to steal personal information, including account sign-in details with victims of the recent attack reported in over 100 countries.

According to cyber security research agency Proofpoint, the ZLoader malware has existed in various iterations since 2006 and was designed to enable threat actors to undertake unsolicited payments on a victims device.

“ZLoader, a variant of the infamous Zeus banking malware, has been around since 2006. It is a typical banking malware that makes use of webinjects to steal credentials and other private information from users of targeted financial institutions,” Dennis Schwarz, Matthew Mesa and the Proofpoint Threat research team blogged in May 2020.

“The malware can also steal passwords and cookies stored in victim’s web browsers. With the stolen information in hand, the malware can use the VNC (virtual network computing) client it downloads to allow threat actors to connect to the victim’s system and make illicit financial transactions from the banking user’s legitimate device.”

Microsoft released a patch for the nine-year-old loophole in 2019.

[Related: Conti emerges as growing cyber threat]

newsletter
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.