In early November, cybersecurity firm Check Point Research discovered a massive attack by the Zloader Trojan, which steals data used to access internet banks and users’ personal data. On January 2, the malware infected machines with 2,170 IP addresses. The attack is characterized by the fact that it exploits an old vulnerability.
The Zloader Trojan has been around for a long time. For example, in 2020 it spread through adult content and even Google ads. Experts say the new massive attack is unique in that it relies on a software verification system based on digital signatures: the malware’s payload is embedded in a signed system library that is not checked by OS protection tools.
The infection takes place via the Atera Remote Access and Management System (RMM) – a demo version of this standard company tool in a modified version is installed by the victim himself as a java.msi file in which one is specified by the cybercriminal as the administrator. Next, using the script launch feature, the operator downloads two bat files to the victim’s computer. The first script changes Windows Defender settings and adds the necessary exceptions, and the second provides data delivery from third party resources.
Next, the system file mshta.exe (usually used to run HTML files) is started with the appContast.dll library as a parameter. This library is signed but contains malicious code that downloads and runs the Zloader Trojan. Microsoft fixed the certificate verification bug back in 2013, but later in 2014 the company announced that the relevant update could affect existing software and it was only made available for installation upon user request. According to experts from Check Point Research, the hacking group Malsmoke is behind the new series of attacks: their participants like to distribute malware as Java plugins, the URL associated with the attack was already used by the group in 2020.