Experts from Check Point Research warn of another dangerous campaign cybercriminal. This time it concerns the verification of the company’s electrical signature Microsoft. So far, its victims have been over 2,170 people from 111 countries. Most of the injured come from Of the United States (40%) and Canada (14 percent). It turns out that Polish users are also among the victims (less than 1%).
Security researchers attribute the campaign to a cybercriminal group MalSmokewhich used a known one to carry out the operation the ZLoader Trojan. This tool has so far been used in attacks on electronic banking, while it has been on the radar since September 2021 CISA (US Cybersecurity and Infrastructure Security Agency) as a distributor of Conti ransomware and various strains of Ryuk ransomware.
The attack begins with the installation of a legitimate remote management program pretending to be Java installation. Once done, the attacker has full access to the system and is able to upload / download files and run scripts. The attacker sends and runs several scripts that download further scripts that run mshta.exe with the file appContast.dll as a parameter. The appContast.dll file is signed by Microsoft, although more information has been added to the end of the file. The information added causes a download and a final run Zloader payloaderwhich steals user credentials and private information of victims.
Check Point Research informed the company Microsoft and Atera o your arrangements. The company also issued a recommendation to use Microsoft’s update for strict Authenticode verification. Unfortunately, it is not applied by default.