Zloader makes his return with a new campaign spread to 111 countries and which already counts numerous victims. Another variant of the well-known banking malware that was on the scene in 2020 and today changes its approach in its diffusion. But while in the past it exploited adult sites, malicious documents or Google advertisements to infect PCs, now developers have used a remote software management program as a viral vector .
The campaign was most likely identified in early November 2021 and the numbers of the attack speak for themselves. In one of the domains extracted by the malware it is possible to see both the files used for the infection and an entry folder that contains the victims of Zloader classified by country. As of January 2, 2022, there were 2,170 IP addresses mostly belonging to the United States and Canada . In addition, the very up-to-date file modification dates suggest that authors are thinking of new, more effective variations.
The return of Zloader: how the attack campaign works
The Check Point Research team has analyzed the structure of the attack being perpetrated by Zloader. A similar analysis was also made by Malwarebytes two years ago during the first campaign. The rather complex and cumbersome chain of attack begins with Atera, a software for remote management and monitoring of endpoints. Atera is able to install an agent via an .msi file which is the trigger of the Zloader mechanism . In fact, the installation procedure, which emulates a Java program, allows the attacker to take possession of the PC, being able to upload and download files of any kind.
Starting from the initial installer we proceed with .bat files that bypass the defenses of Windows Defender and continue to load the malicious software several times and with multiple files. The central aspect of the attack is the evasion of Microsoft's digital signature verification mechanism . In fact, one of the libraries used for the functioning of the malware is signed by Microsoft and with a valid signature even though it contains an additional portion of payload. At this point two mechanisms come into play:
- thanks to the aforementioned library, Zloader is able to load all the remaining files and establish a connection with the Command and Control server;
- a last .bat file modifies a registry key that allows the execution of all programs with administrative privileges.
As you can guess, the evolution of malware is extremely refined and the developers have paid a lot of attention to evasion of the system's defenses . Furthermore, Zloader is able to remain active over time thanks to some configurations that guarantee its activation at each system restart.
Risks and possible countermeasures
Users infected with malicious software may find themselves exposed to sharing personal files and documents. Furthermore, since the connection with the attackers Command and Control server is active, it is in fact possible to have complete control of the computer.
As already anticipated, the campaign already has several victims and the attack method is similar to that of the MalSmoke group that had carried out such an attack in 2020.
At the moment the only suggestion to ensure the security of your system is to install Microsoft updates with a timely verification of the Authenticode . In fact, the system allows users and the operating system to verify that the program code comes from the legitimate developer. We will monitor the development of the campaign and any new variants of Zloader.
The article The eternal return of Zloader: a new campaign involving over 2000 victims comes from Tech CuE | Close-up Engineering .