Zloader cyberattacks: Microsoft e-signature verification flaw abused

Malsmoke hackers use Microsoft's flaw from 2013 to deploy data-stealing malware

Malware deployed to steal users' data by abusing the Microsoft signature verification flaw

Cybersecurity company Check Point Research shared important news. Cybercriminal group Malsmoke seems to be responsible for an ongoing ZLoader malware campaign that is exploiting remote monitoring and long-time flaw of Microsoft's digital signature verification.^[1] This could lead to serious security issues like lost credentials and leaked sensitive, important information.

Researchers just recently found out that crime actors could be using sneaky techniques. First, they gain users' trust and trick them into installing a legitimate remote management software (RMM) called Atera.^[2] With this tool, the initial access to the target device is gained and threatening malware could exploit Microsoft's digital signature verification method while avoiding defense systems.

However, Microsoft's digital signature flaw is so old, that for sure all of the cybercriminals know where to hit. Hackers could modify a legitimate common file shared between multiple pieces of software to load code and in this way, the malware is planted easily. When an infected file is digitally signed by Microsoft, hackers append a malicious script to the file without impacting Microsoft's stamp of approval.

So far, this malicious campaign has 2,170 victims coming forward. It seems that people from all over the world were hit by this campaign as of right now, at least 111 countries were affected, the U.S., Canada, Australia, Indonesia, and India being the ones, that were hit the most. Microsoft came out and said that users could keep themselves safe with the 2013 fix and reminded them that updating and enabling the configuration indicated in the security advisory is a must.

The malware could sneakily infect the device and cause some serious problems

ZLoader is quite dangerous if ignored. This is a widely known and recognized banking Trojan. It usually uses the web to steal cookies, passwords, and sensitive information.^[3] ZLoader is a variant of the Zeus malware that was a huge threat to the banking industry back in 2006. Before 2020, it was last seen in the summer of 2018 and now, it seems to be on the rise again.^[4]

Since reemerging once again, ZLoader has spawned over 25 new different versions. In previous cases, it was seen that ZLoader has been delivered via phishing email campaigns and online advertising with legitimate-looking websites that host the malware. Nowadays, criminals using ZLoader become more creative and uses systems flaws for their own benefit. Infected devices poses threat to victims as user safety and computer security is put at risk.

It is important to remove the malware as soon as possible. For that, first, the malicious payload must be eliminated, along with secondary ones. The powerful anti-malware software is imperative as well and a full system scan should be done periodically.^[5] In some cases, users aren't always aware of the malware that has infected their device, so any strange computer behavior should be taken into consideration.

MalSmoke group usually hits the porn sites

Researchers do pinpoint that MalSmoke is the group that is involved with the latest malware campaign that is exploiting remote monitoring and flaw of Microsoft's digital signature verification issues. This cybercriminals group has a long history of using similar techniques and explorations. MalSmoke's primer focus lies on malvertising and hijacking advertisements on porn and other adult content.^[6]

In the past, the group has used ZLoader as well as other popular malware like “Smoke Loader.” MalSmoke seems to improve quickly as they work on already existing tactics, while simultaneously adopting new tactics like the Java plugin that drastically increases how many individuals can be fooled. Previously, MalSmoke explored Adobe Flash Player and Internet Explorer 11, so their shift focus on Microsoft's digital signature verification should not come as a surprise.