[MART] - Daily Diary #425 - Zloader Malware Bypasses Microsoft Signature Verification

CTAS-MAT ctas-mat at appgate.com
Wed Jan 5 21:19:37 UTC 2022 

Hello,

I hope everyone is doing well!

Below is the entry for today.

01/05/2022 - Diary entry #425:

Zloader is a banking malware with info stealing capabilities that evolved a lot since its first appearance in 2015. Later, Zloader started to be used to deploy additional payloads such as different Ransomware strains like Egregor and Ryuk. More recently, a new Zloader campaign has been spotted started on November 2021, affecting more than 2,100 victims from 111 countries, mostly in the U.S., Canada, India, Indonesia, and Australia.

In this new campaign, the infection starts with the installation of a legitimate, enterprise remote monitoring and management software called Atera. Atera was already used by the Conti ransomware group to gain persistence and remote access. In this case, it is used to upload and execute several ".bat" scripts with different purposes. Next, it runs mshta.exe with the file appContast.dll as the parameter.

The appContast.dll was specially crafted to exploit a known issue tracked as CVE-2013-3900. It allows remote attackers to execute arbitrary code by appending data onto the signature section of a portable executable file, without revoking the validity of the digital signature. Since it's not possible to run compiled code from the signature section of a PE, the threat actors place a script written in VBScript or JScript and run the file using mshta.exe.

Finally, the appConstast.dll is used to execute the main Zloader payload by calling msiexec.exe and injecting its payload into the running process to communicate with the C2 server.

Kind Regards,

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/logo@2x.png]<https://www.appgate.com/>

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>



Felipe Tarijon de Almeida
Malware Analyst
Appgate

E: felipe.tarijon at appgate.com<mailto:felipe.tarijon at appgate.com>
C: +55 11 97467 9549

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20220105/1bd79e88/attachment.htm>

More information about the MART mailing list