New ZLoader malware campaign hit more than 2000 victims across 111 countries

A malware campaign spreads ZLoader malware by exploiting a Windows vulnerability that was fixed in 2013 but in 2014 Microsoft revised the fix.

Experts from Check Point Research uncovered a new ZLoader malware campaign in early November 2021. The malware campaign is still active and threat actors have already stolen data and credentials of more than 2000 victims across 111 countries as of 2 Jan 2022.

Zloader is a banking malware that has been active at least since 2016, it borrows some functions from the notorious Zeus 2.0.8.9 banking Trojan and was used to spread Zeus-like banking trojan (i.e. Zeus OpenSSL).

The attack chain leverages legitimate remote management software (RMM) to gain initial access to the target system.

The infection chain starts with the installation of Atera software on the victim’s machine. Atera is a legitimate, enterprise remote monitoring and management software that can install an agent and assign the endpoint to a specific account using a unique .msi file that includes the owner’s email address. Attackers created this installer using a temporary email address: ‘Antik.Corp@mailto.plus’. Like previous Zloader campaigns, the file poses as a Java installation.

Then the malware exploits Microsoft’s digital signature verification method to inject its payload into a signed system DLL in an attempt to evade detection.

The threat actors exploit a vulnerability, tracked as CVE-2013-3900, that was discovered and fixed in 2013 but in 2014 Microsoft revised the fix.

“A remote code execution vulnerability exists in the way that the WinVerifyTrust function handles Windows Authenticode signature verification for portable executable (PE) files. An anonymous attacker could exploit the vulnerability by modifying an existing signed executable file to leverage unverified portions of the file in such a way as to add malicious code to the file without invalidating the signature.” reads the advisory published by Microsoft.”An attacker who successfully exploited this vulnerability could take complete control of an affected system.”

During the investigation, the experts found an open directory, hosted at teamworks455[.]com, that was holding some of the files that are downloaded un the campaign. The malware operators are changing the files every few days, the analysis of the file `entries’ allowed to retrieve the list of victims that are infected with Zloader and their country of origin.

Most of the infected systems are in the USA, Canada, Australia, India, and Indonesia.

Experts attribute this campaign to MalSmoke cybercrime group due to similarities with past attacks.

“Two noteworthy ways seen here are using legitimate RMM software as an initial access to a target machine, and appending code to a file’s signature while still maintaining the signature’s validity and running it using mshta.exe.
The ability to append code to a file’s signature has been known for many years and multiple CVEs were assigned as mentioned above.” concludes the report.”To mitigate the issue, all vendors should conform to the new Authenticode specifications to have these settings as default, instead of an opt-in update. Until that happens, we can never be sure if we can truly trust a file’s signature.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Zloader)

[adrotate banner=”5″]

[adrotate banner=”13″]