"Info-Stealing Malware Hits 100+ Countries"
Researchers at Check Point warn of a new malware campaign that has already stolen passwords and user information from over 2000 victims in 111 countries worldwide. ZLoader is a known banking Trojan that uses web injection to steal cookies, passwords, and sensitive information. It has also been linked to the delivery of the infamous Conti and Ryuk ransomware variants. In the past, researchers noted that ZLoader has been delivered via both traditional phishing email campaigns and abuse of online advertising platforms, where attackers purchase ads pointing to legitimate-looking websites hosting the malware. The researchers found that the new campaign, attributed to cybercrime group Malsmoke, begins with the installation of a legitimate remote management program from Atera pretending to be a Java installation. This provides the attacker full access to the targeted system, enabling them to upload and download files and run additional scripts. One of these scripts purportedly runs “mshta.exe” with the file “appContast.dll” as the parameter. The researchers noted that although appContast.dll is signed by Microsoft, the attackers found a way to exploit the firm’s digital signature verification method to add extra information to the file. This info downloads and runs the final Zloader payload. One malware researcher named Kobi Eisenkraft stated that people need to know that they can’t immediately trust a file’s digital signature. The researchers noted that the ZLoader campaign authors put great effort into defense evasion and are still updating their methods on a weekly basis. The researchers are strongly urging users to apply Microsoft’s update for strict Authenticode verification since it is not applied by default. Users were also advised not to install programs from unknown sources and not to click on links or open attachments in unsolicited messages. Most of the victims of the new malware campaign are located in the US (40%), followed by Canada (14%) and India (6%).
Infosecurity reports: "Info-Stealing Malware Hits 100+ Countries"