Microsoft’s E-Signature Verification Exploited by Malsmoke
Table of Contents
- By David Lukic
- Published: Jan 05, 2022
- Last Updated: Mar 18, 2022
Malsmoke, a hacking collective, is administering a campaign to steal information. The data theft is performed with the use of ZLoader malware. This is the same malware used in previous years to transmit Conti and Ryuk ransomware. All in all, Malsmoke has exploited more than 2,000 targets spanning 110+ countries. Most of the attacks are in the United States, India, and Canada.
How is the Information Stolen?
The Malsmoke threat actors exploit the Microsoft digital signature verification. This exploitation sets the stage for stealing user credentials and other valuable information. The data theft occurs with the delivery of ZLoader malware.
How was the Attack Discovered?
Check Point Research (CPR) discovered the Malsmoke attacks. CPR reported the group’s exploitation of the Microsoft E-signature verification on Wednesday. CPR representatives state the attacks date back to November of 2021.
Why is the Attack Meaningful?
One of CPR’s malware researchers, Kobi Eisenkraft, has gone to great lengths to heighten awareness of the Malsmoke group’s latest attacks. Eisenkraft insists people should be aware that they cannot immediately trust the digital signature of Microsoft files. Furthermore, the attack is even more of a threat as it is occurring on a weekly basis. CPR representatives state the attack is a component of an ever-evolving campaign that will continue to progress into new variations as time progresses.
What, Exactly, is ZLoader?
ZLoader is best described as a banking trojan that relies on web injection to steal target machines’ passwords, cookies, and additional valuable information. ZLoader is problematic to the point that it caught the attention of CISA, short for Cybersecurity Infrastructure and Security Agency, back in September. CISA views ZLoader as a significant threat as it distributes several different types of ransomware.
Digital miscreants also used ZLoader as a key payload in several spearphishing campaigns. One of those campaigns launched in the spring of ’20 attempted to manipulate people after the pandemic began. Attackers transmitted ZLoader through Google AdWords in a campaign back in September of ’21, employing a mechanism that prevented Windows Defender modules from functioning on target machines.
How are the Hackers Using Java?
The Malsmoke hacking team employed ZLoader in the past, to zero in on individuals surfing the web and visiting adult pornography pages. This ZLoader attack was launched in November of ’20 through a campaign that transmitted a trojan through phony Java updates. The latest hacking campaign levied by the digital criminals employs Java within an attack vector, beginning the attack with the installation of a program for remote management that appears to be a legitimate Java installation. At this point, the hacker obtains comprehensive access to the targeted system. Once access is obtained, the hacker can upload and download files as desired. The hacker can also run scripts as well.
The next step is implementing a mshta.exe using the file known as appContast.dll for the parameter. This supposedly trustworthy Microsoft file transmits the payload. Microsoft signs the appContast.dll file, and more information is transmitted to the file’s end. The new information downloads and operates the last stage of the Zloader’s payload, obtaining access to the victims’ private information, including login credentials.
What is the Best Line of Defense Against Malsmoke Attacks?
According to CPR, Microsoft users should implement Microsoft’s update applicable to Authenticode verification to avoid being victimized by the campaign. CPR representatives insist this verification is not applicable by default, meaning it requires manual activation.