Posted on January 6, 2022 at 1:32 PM

Researchers Discover Info-Stealing Software That Affects Over 2,000 Users

Threat actors have been discovered exploiting Microsoft’s digital signature verification to steal user credentials by planting the Zloader malware. The action has impacted victims in Canada and the US, but the malware has been discovered in over 100 countries.

Microsoft Is Aware Of The Vulnerability

Windows 10 users have also been informed that there are over 60 vulnerabilities that researchers have discovered.

But the particular flaw linked to Microsoft’s digital signature is the CVE-2021-43890, known as a spoofing vulnerability that can be exploited in the Windows AppX installer to plant malware.

Microsoft said it is aware of the bug and researchers are working to take care of the issue.

Chad McNaughton, of Automox, has advised that organizations also have a very important role to play when remediating their systems when the exploit is active. 

The Zloader Malware Has Been Spotted In The Past 

This is not the first time Zloader has been discovered to deliver malware, as a previous report by ZNET noted that it has delivered baking trojans in the past.

The info-stealing malware campaign that uses Zloader initially utilized the Conti and Ryuk ransomware and has already infected over 2,000 victims in many countries.

Security researchers at Check Point initially identified the hacking group known as Malsmoke, believed to be the orchestrator of the malware campaign. The researchers have been tracking the malware campaign since November 2021 

The researchers say that the Zloader campaign exploits “Microsoft’s digital signature verification to steal sensitive information of users,” Malware researcher at CPR, Kobi Eisenkraft, added that people should understand that they cannot put their full trust in a file’s digital signature.

He added that the threat actors initially distributed Zloader through Google AdWords in a campaign that utilized a system to disable all the Windows Defender modules on victim machines.

The Campaign Also Utilizes Java 

Malsmoke initially utilized Zloader to launch an attack on those that visit pornography sites in November 2020. According to the researchers, the hackers deliver the trojan via fake Java updates.

Additionally, the recent campaign by the threat actors also utilizes Java in its attack vector. It begins its infectious activities by delivering a remote management program that imitates a Java installation.

When the malware is installed, the threat actor takes complete control of the system, enabling them to upload or download files, as well as run scripts, according to the researchers. 

Ultimately, the threat actors try to run a file known as mshta.exe using the file appContast.dll as the parameter to plant the payload. The parameter seemed to be a Microsoft trusted file, which makes it a bit difficult to detect or prevent.

The research details also reveal that the added information can download and run the Zloader payload, which steals information and user credentials from victims.

Users Have Been Advised To Apply Common Security Measures

Eisenkraft added that the threat actors have become more sophisticated and have put great effort into defense evasion. However, Atera and Microsoft have been informed about the findings. Atera seems to show a false Java installer, but threat actors are installing an agent that connects to users’ devices.

CPR has advised Microsoft users to apply updates to the software as soon as possible to avoid becoming victims of the attack. They warned that the users are at higher risk of being attacked because the patch is not applied by default.

Additionally, users should always apply the common security checks to avoid unknowingly installing software from sources that are not genuine. Most of the attacks are from sites or programs that are unknown. As a result, users should avoid opening unfamiliar attachments or clicking on unfamiliar links they receive via emails.

But files that launch Zloader and another that targets Windows Defender are added to the systems. This prevents cybersecurity tools to issue alerts regarding the payloader, allowing the exploit of the vulnerability within Microsoft’s system.

While Microsoft seemed to take care of the issue in 2013, the company decided to make the patch an opt-in future in 2014. This means the security protective feature does not operate by default and users need to enable them manually.

The tech giant stated that the users that applied the update and enabled the configuration in the security advisory will have full protection against the malware. 

Even so, the threat actors will be unable to exploit the bug directly because it requires them to convince the victims to run a specially designed PE file. Also, the user’s machine will have to be compromised to exploit the vulnerability.