Windows Update Screen

Malware exploits Microsoft digital signature verification

Check Point Research (CPR) says it has uncovered a new malware campaign. The malware, named ZLoader, exploits Microsoft’s digital signature verification, enabling it to steal user credentials alongside sensitive information. ZLoader has reportedly already stolen data from over 2,000 people across 111 countries.

CPR traced the malware campaign’s origins to November 2021 and said cybercrime group Malsmoke was behind the attack. It is thought Malsmoke is using ZLoader to deliver ransomware linked to other cybercrime groups, including Ryuk and Conti, to users’ systems. ZLoader is a banking trojan using web injection to steal cookies, passwords, and sensitive user information.

While CPR traced this current campaign back to November 2021, ZLoader first came to the attention of cybersecurity agencies in September, specifically in relation to the distribution of Conti ransomware.

Towards the end of September 2021, a tweet from Microsoft Security Intelligence highlighted that ZLoader distributors were using Google Ads to post digital adverts posing as legitimate websites, from which various malware strains, including Ryuk ransomware, made their way onto user’s systems.

How does ZLoader work?

For ZLoader to find its way onto a user’s system, the user must install a legitimate remote management program. To the user, this appears to download as a Java installation. However, once installed, attackers will have full access to the user’s system, can download and upload files, and run scripts.

With these capabilities, attackers could then use scripts to download more malware and eventually the final ZLoader payload, which is the one responsible for stealing credentials and sensitive information from users’ systems.

Kobi Eisenkraft, a malware researcher at Check Point, told Digit:  “People need to know that they can’t immediately trust a file’s digital signature.

“What we found was a new ZLoader campaign exploiting Microsoft’s digital signature verification to steal sensitive information of users.

“We first began seeing evidence of the new campaign around November 2021. The attackers, whom we attribute to MalSmoke, are after the theft of user credentials and private information from victims. So far, we’ve counted north of 2,000 victims in 111 countries and counting.

“All in all, it seems like the ZLoader campaign authors put great effort into defence evasion and are still updating their methods on a weekly basis. I strongly urge users to apply Microsoft’s update for strict Authenticode verification, as it is not applied by default.”


Get in Touch

Fill in the form below to tell us your details, and we’ll get started.