Zloader malware is abusing Microsoft e-signature to steal sensitive data

A new campaign is identified by security researchers where the threat actors are manipulating the Microsoft e-signature and deploying Zloader malware that steals banking related usernames and passwords.

The Zloader malware was first spotted in Nov 2021 and the Check Point Research team was the one to report it first. On Jan 02, around 2000+ IPs have downloaded the malicious DLL and these include IPs from the USA, Canada, and India. About two-third of these are individuals, education and government organizations while the rest all are businesses.

Complete analysis on the Zloader malware campaign

The Zloader isn’t a new malware variant, campaigns similar to it have been seen already in recent years where these actors have used adult websites, Google ads and malicious files to target devices.

The attackers have employed evasion techniques this time, which comes as the new upgrade to the Zloader malware campaign. The actors have used a Remote Monitoring and Management (RMM) tool to establish trust and initial access to target devices. Later, they add a code to a file’s signature by maintaining the validity then execute it using the mshta.exe extension.

“The new and most interesting thing, from my point of view, is that this is the first time we notice Zloader campaign exploit Microsoft’s digital signature verification method to inject its payload into a signed system DLL to further evade the system’s defenses. This evidence shows that the Zloader campaign authors put great effort into defense evasion” said Kobi Eisenkraft, malware researcher at Check Point. 

Zloader Malware leveraging the Atera RMM software

The attackers disguise their intention by starting with the installation of Atera RMM software on the target device, using its agent deployment mechanism and then aligning the device with a specific account using an .MSI file with owners email id in it. The actors do this with a temporary email id, download the file as Java application and then install it in the device.

However, it is still not sure how attackers are able to deploy Atera RMM into the victim devices, but in earlier campaigns an adult video was used as a bait for such tactics. The video will start playing and suddenly ask for a Java installation, which will trigger the Atera like software installation in the victim device (a trial version) allowing attackers to transmit files to the victim device and run those files without any hindrance. Later, two .bat files are executed, one is for modifying the Windows Defender configurations and the other one is to prepare and load the malware completely. Also in the first stage of these executions, the malware detection tools are disabled allowing complete stealth for the Zloader malware.

The mshta.exe file is modified by actors with a extra script that to the file for malicious DLL. The Zloader malware could be very effective if the vulnerabilities marked as CVE-2020-1599, CVE-2013-3900, and CVE-2012-0151 are still ain’t patched.

Although Microsoft addressed the signature issue in security bulletin published in 2013 by providing a fix, the aftermaths of these could be taking a hit on the existing software. In 2014, Microsoft delivered further file verification for an optional update. This patch has to be manually updated but security vendors may allow the malicious signed file to run because of the brand Microsoft, and its digital signature that is associated with it.

Malsmoke and the Zloader Malware Campaign

Check Point has mapped the Zloader malware campaign to Malsmoke operators and states that this is the first time the operators are targeting Microsoft digital signatures for their malicious intent. Also, leveraging the Atera RMM software for their control victim devices is an upgrade to their previous campaign.

Subscribe to our newsletter for daily alerts on cyber events, you can also follow us on Facebook, Linkedin, Instagram, Twitter and Reddit.

You can reach out to us via Twitter or Facebook, for any advertising requests.