Over 2K victims hacked via Microsoft signature verification, India 3rd most affected

A new campaign exploited Microsoft’s digital signature verification to steal user credentials and sensitive information of over 2,000 victims in 111 countries, including India, and counting, a report said on Wednesday.

The malware has claimed 2,170 unique victims in 111 countries, with India being the third most affected with 140 cases, according to Israel-based cybersecurity company Check Point.

The top two targets were USA and Canada with 864 and 305 cases respectively, according to Check Point researcher Golan Cohen. Most victims reside in the US, followed by Canada and India.

“People need to know that they can’t immediately trust a file’s digital signature,” Kobi Eisenkraft, Malware Researcher at Check Point, said in a statement.

“What we found was a new ZLoader campaign exploiting Microsoft’s digital signature verification to steal sensitive information of users. We first began seeing evidence of the new campaign around November 2021,” Eisenkraft added.

Last seen in August 2021, Zloader, a banking malware designed to steal user credentials and private information, is back with a simple yet sophisticated infection chain. Previous Zloader campaigns, which were seen in 2020, used malicious documents, adult sites and Google ads to infect systems.

Evidence of the new campaign was first seen around early November 2021,to the cybercriminal group Malsmoke, which placed significant effort into evasion methods.The techniques incorporated in the infection chain include the use of legitimate remote management software (RMM) to gain initial access to the target machine.

“The attackers, whom we attribute to MalSmoke, are after the theft of user credentials and private information from victims. So far, we have counted north of 2,000 victims in 111 countries and counting,” said Eisenkraft.

ZLoader is known to be a tool in delivering ransomware. It has been known to deliver ransomware in the past and came to CISA’s radar in September 2021 as a threat in the distribution of Conti ransomware.

Leave a Reply

Your email address will not be published. Required fields are marked *