Check Point Research identified a campaign that uses Microsoft's digital signature verification to steal user credentials and sensitive information. Attack attributed to the MalSmoke cybercriminal group
07 Jan 2022 Veronica BaloccoCheck Point Research (Cpr), the threat intelligence division of Check point software technologies, has identified a new malware campaign that leverages Microsoft's digital signature verification to steal user credentials and sensitive information. It is essentially the return of Zloader, known to be a tool for transmitting ransomware (including Ryuk and Conti), which in this new variant has affected over 2,000 victims (2,170) in 111 countries, mainly the United States, followed by Canada. and India. Cpr attributes the campaign, which dates back to November 2021, to the group of cybercriminals MalSmoke. Index of topics • The web injection technique was used • The mechanism of the attack The web injection technique was used The protagonist of this new malware campaign that uses Microsoft's digital signature verification to steal sensitive data from victims is precisely Zloader, a banking trojan that uses the web injection technique to steal cookies, passwords and any sensitive information. Zloader is already known to be a ransomware transmission tool and entered Cisa's radar in September 2021 as a threat in the distribution of Conti ransomware. During the same month, Microsoft reported that Zloader authors were buying keyword advertising on Google to distribute various types of malware, including Ryuk ransomware. Based on the findings, CPR informed Microsoft and Atera of its findings and recommended these simple guidelines to all: apply Microsoft's update for a rigorous verification of Authenticode; do not install programs from unknown sources or sites; never click on unknown links or attachments that you receive in the mail.
The mechanism of the attackBut how does the chain of infection unfold? The attack begins with the installation of a remote management program that pretends to be a Java installation. After this installation, the hacker has full access to the system and is able to upload / download files and even run scripts; then the hacker loads and runs some scripts that download other scripts that run mshta.exe with the appContast.dll file as a parameter. The appContast.dll file is signed by Microsoft, although other information has been added to the end of the file, so the added information downloads and runs the final Zloader payloader, stealing the user's credentials and the victims' private information. "People need to know that they cannot immediately trust a digital signature of a file," says Kobi Eisenkraft, Malware researcher at Check point software technologies. What we found is a new Zloader campaign that leverages Microsoft's digital signature verification to steal sensitive user information. We started seeing evidence of the new campaign around November 2021. The attackers, which we attribute to MalSmoke, are attempting to steal user credentials and victims' private information. So far, we have counted more than 2,000 victims in 111 countries. It appears that the authors of the Zloader campaign have put a lot of effort into breaking down the defenses and are still updating their methods weekly. I strongly urge users to apply Microsoft's update with rigorous Authenticode verification, as it is not applied by default. "
COMMENT:We report this article that testifies how the RSA cryptographic system, key-public-private key, the basis of the block-chain, is in bad shape.