New Zloader campaign exploits Microsoft’s Signature Verification putting users at risk

In News

Check Point Research (CPR) spots new malware campaign exploiting Microsoft’s digital signature verification to steal user credentials and sensitive information. Named ZLoader, the malware has claimed over 2,000 victims in 111 countries.

CPR attributes the campaign, which traces back to November 2021, to the cybercriminal group Malsmoke, who placed significant effort into evasion methods. ZLoader is known to be a tool in delivering ransomware, including Ryuk and Conti.   

Check Point Research (CPR) sees a new malware campaign exploiting Microsoft’s digital signature verification to steal sensitive information of victims. Named ZLoader, the malware is a banking trojan that uses web injection to steal cookies, passwords and any sensitive information. ZLoader has been known to deliver ransomware in the past and came unto CISA’s radar in September 2021 as a threat in the distribution of Conti ransomware. During the same month, Microsoft said ZLoader operators were buying Google keyword ads to distribute various malware strains, including Ryuk ransomware. Today, CPR is publishing a report that details the resurgence of ZLoader in a campaign that has taken over 2,000 victims in 111 countries. CPR is attributes the camapign to the cyber criminal group MalSmoke.

Infection Chain

  1. The attack begins with the installation of legitimate remote management program   pretending to be a Java installation
  2. After this installation, the attacker has full access to the system and is able to upload/download files and also run scripts, so the attacker uploads and runs a few scripts that download more scripts that run mshta.exe with file appContast.dll as the parameter
  3. The file appContast.dll is signed by Microsoft, even though more information has been added to the end of the file
  4. The added information downloads and runs the final Zloader payload, stealing user credentials and private information from victims

So far, CPR has documented 2170 unique victims. Most victims reside in the United States, followed by Canada and India.

CPR believes that the cybercriminals behind the campaign are Malsmoke, given a few similarities with previous campaigns.

CPR updated Microsoft and Atera of its findings.

Kobi Eisenkraft, Malware Researcher at Check Point Software said “People need to know that they can’t immediately trust a file’s digital signature. What we found was a new ZLoader campaign exploiting Microsoft’s digital signature verification to steal sensitive information of users. We first began seeing evidence of the new campaign around November 2021. The attackers, whom we attribute to MalSmoke, are after the theft of user credentials and private information from victims. So far, we’ve counted north of 2,000 victims in 111 countries and counting. All in all, it seems like the Zloader campaign authors put great effort into defense evasion and are still updating their methods on a weekly basis. I strongly urge users to apply Microsoft’s update for strict Authenticode verification, It is not applied by default”

Safety Tips :

  1. Apply Microsoft’s update for strict Authenticode verification. It is not applied by  default.
  2. Do not install programs from unknown sources or sites.
  3. Do not press on links or open unfamiliar attachments that you get by mail.



You may also read!

Parimatch Polska ⭐️ Najlepszy Bukmacher Do Warsztatów Sportowych Online!

Parimatch Casino Recenzja Spis treści Darmowe Zakłady Bonus Kasynowy Parimatch Czy Zdołam Grać W Kasynie Za Darmo? Goście Na


The Electronic Data Room for Your Startup’s Strengths and gratification

The data rooms can be used simply by anyone who regularly exchanges crucial and confidential documents that offer important


ISnSC announces secure and temper proof National ID technology

ISnSC R&D FZ LLC announced Real ID based on ISnSC’s patented technology. Real ID works offline and can be


Join Our Newsletter!

Love SecurityMEA? We love to tell you about our new stuff. Subscribe to newsletter!

Mobile Sliding Menu