Zloader Malware Exploits Microsoft Digital Signature Verification
Hackers are using Microsoft's digital signature verification to steal user credentials and other sensitive information by delivering the ZLoader malware. Zloader was previously used to distribute Ryuk and Conti ransomware. Researchers at Check Point Research found that Malsmoke, a hacking group, has been using Microsoft's digital signature to distribute Zloader since November 2021. The group already has over 2,000 victims in 111 countries in the United States, Canada and India.
ZLoader is a banking trojan that uses web injection to steal cookies, passwords and other sensitive information from victims' machines. It first attracted the attention of the CISA in September 2021 as a threat in the distribution of Conti ransomware. It was also used to deliver the Ryuk ransomware. Hackers also used ZLoader in multiple spearphishing campaigns, including one in March 2020 that took advantage of COVID-19. In September 2021, hackers spread ZLoader via Google AdWords in a campaign that disabled all Windows Defender modules. Malsmoke previously used ZLoader to target people visiting adult pornography sites in November 2020 in a campaign that delivered the trojan through fake Java updates.
The latest campaign by Malsmoke also uses Java by installing a legitimate remote management program that impersonates a Java installation. Once it is installed, the hackers gains full access to the system and is able to upload/download files and also run scripts. After this, they run a file called mshta.exe with the file appContast.dll as the parameter to deliver the payload. The file appContast.dll is signed by Microsoft, even though more information has been added to the end of the file. The added information downloads and runs the final Zloader payload, stealing user credentials and private information from victims.
Microsoft users should patch their machines for strict Authenticode verification immediately to avoid falling victim to the campaign since it is not applied by default. People also should follow common-sense security practices to avoid installing programs from unknown sources or sites, clicking on unfamiliar links or opening unfamiliar attachments they receive in emails.