Info-Stealing Malware Hits 100+ Countries

Info-Stealing Malware Hits 100+ Countries

Researchers warn of a new malware campaign that has already stolen passwords and user information from over 2000 victims in 111 countries worldwide.

ZLoader is a known banking Trojan that uses web injection to steal cookies, passwords, and sensitive information. It has also been linked to the delivery of the infamous Conti and Ryuk ransomware variants.

In the past, ZLoader has been delivered via both traditional phishing email campaigns and abuse of online advertising platforms, where attackers purchase ads pointing to legitimate-looking websites hosting the malware.

The new campaign, attributed to cybercrime group Malsmoke, begins with the installation of a legitimate remote management program from Atera pretending to be a Java installation, according to Check Point.

This provides the attacker full access to the targeted system, enabling them to upload and download files and run additional scripts. One of these scripts purportedly runs “mshta.exe” with the file “appContast.dll” as the parameter.

Although appContast.dll is signed by Microsoft, the attackers found a way to exploit the firm’s digital signature verification method to add extra information to the file. This info downloads and runs the final Zloader payload, according to Check Point.

Malware researcher, Kobi Eisenkraft, explained that the Check

Read More: