The Malsmoke hacking group is now abusing a vulnerability in Microsoft’s e-signature verification tool to deploy malware and steal user data.
On Wednesday, Check Point Research (CPR) said that as of now, over 2,100 victims have been detected worldwide in a new campaign, with the majority resident in the United States, Canada, and India – although evidence of the malware has been found in 111 countries.
Dubbed ZLoader, the malicious code has been used in the past to deliver banking Trojans and has been closely connected to multiple ransomware strains.
The new campaign is thought to have started in November 2021. During its initial attack stages, the malware’s operators have decided to use Atera, legitimate remote management software, as the springboard to infect a system.
While it is not known how the malicious package containing Atera is currently being distributed, upon installation, Atera will also show a fake Java installer. This file, however, is busy installing an agent that connects the endpoint PC to an attacker’s account, allowing them to remotely deploy malicious payloads.
Two .bat files are then uploaded to the victim’s machine: the first is responsible for tampering with Windows Defender, and the second is used to load ZLoader.