threatpost.com
Open in
urlscan Pro
35.173.160.135
Public Scan
URL:
https://threatpost.com/malsmoke-microsoft-e-signature-verification/177363/
Submission: On January 05 via api from US — Scanned from DE
Submission: On January 05 via api from US — Scanned from DE
Form analysis 4 forms found in the DOM
POST /malsmoke-microsoft-e-signature-verification/177363/#gf_5
<form method="post" enctype="multipart/form-data" target="gform_ajax_frame_5" id="gform_5" action="/malsmoke-microsoft-e-signature-verification/177363/#gf_5">
<div class="gform_body">
<ul id="gform_fields_5" class="gform_fields top_label form_sublabel_below description_below">
<li id="field_5_8" class="gfield field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label" for="input_5_8"></label>
<div class="ginput_container ginput_container_text"><input name="input_8" id="input_5_8" type="text" value="" class="medium" placeholder="Your name" aria-invalid="false"></div>
</li>
<li id="field_5_1" class="gfield gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label" for="input_5_1"><span class="gfield_required">*</span></label>
<div class="ginput_container ginput_container_email">
<input name="input_1" id="input_5_1" type="text" value="" class="medium" placeholder="Your e-mail address" aria-required="true" aria-invalid="false">
</div>
</li>
<li id="field_5_9" class="gfield js-kaspersky-gform-recaptcha-placeholder gform_hidden field_sublabel_below field_description_below gfield_visibility_hidden"><input name="input_9" id="input_5_9" type="hidden" class="gform_hidden"
aria-invalid="false" value=""></li>
<li id="field_5_2" class="gfield input-without-label label-gdpr gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label"><span class="gfield_required">*</span></label>
<div class="ginput_container ginput_container_checkbox">
<ul class="gfield_checkbox" id="input_5_2">
<li class="gchoice_5_2_1">
<input name="input_2.1" type="checkbox" value="I agree" id="choice_5_2_1">
<label for="choice_5_2_1" id="label_5_2_1">I agree to my personal data being stored and used to receive the newsletter</label>
</li>
</ul>
</div>
</li>
<li id="field_5_5" class="gfield input-without-label label-gdpr gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label"><span class="gfield_required">*</span></label>
<div class="ginput_container ginput_container_checkbox">
<ul class="gfield_checkbox" id="input_5_5">
<li class="gchoice_5_5_1">
<input name="input_5.1" type="checkbox" value="I agree" id="choice_5_5_1">
<label for="choice_5_5_1" id="label_5_5_1">I agree to accept information and occasional commercial offers from Threatpost partners</label>
</li>
</ul>
</div>
</li>
<li id="field_5_10" class="gfield gform_validation_container field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label" for="input_5_10">Comments</label>
<div class="ginput_container"><input name="input_10" id="input_5_10" type="text" value=""></div>
<div class="gfield_description" id="gfield_description__10">This field is for validation purposes and should be left unchanged.</div>
</li>
</ul>
</div>
<div class="gform_footer top_label"> <input type="submit" id="gform_submit_button_5" class="gform_button button" value="Subscribe" onclick="if(window["gf_submitting_5"]){return false;} window["gf_submitting_5"]=true; "
onkeypress="if( event.keyCode == 13 ){ if(window["gf_submitting_5"]){return false;} window["gf_submitting_5"]=true; jQuery("#gform_5").trigger("submit",[true]); }" style="display: none;"> <input
type="hidden" name="gform_ajax" value="form_id=5&title=&description=&tabindex=0">
<input type="hidden" class="gform_hidden" name="is_submit_5" value="1">
<input type="hidden" class="gform_hidden" name="gform_submit" value="5">
<input type="hidden" class="gform_hidden" name="gform_unique_id" value="">
<input type="hidden" class="gform_hidden" name="state_5" value="WyJbXSIsImIwODQwZTA2ZGQ0NzYwODcyOTBkZjNmZDM1NDk2Y2ZkIl0=">
<input type="hidden" class="gform_hidden" name="gform_target_page_number_5" id="gform_target_page_number_5" value="0">
<input type="hidden" class="gform_hidden" name="gform_source_page_number_5" id="gform_source_page_number_5" value="1">
<input type="hidden" name="gform_field_values" value="">
</div>
</form>GET https://threatpost.com/
<form class="c-site-search__form" role="search" method="get" action="https://threatpost.com/">
<input type="text" class="c-site-search__field" name="s" placeholder="Search">
<button type="submit" class="c-button c-button--secondary c-button--smaller c-site-search__button" value="Search"><svg class="icon fill">
<use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://threatpost.com/wp-content/themes/threatpost-2018/assets/sprite/icons.svg#icon-search"></use>
</svg> Search</button>
<div class="c-site-search__overlay"></div>
</form>POST https://threatpost.com/wp-comments-post.php
<form action="https://threatpost.com/wp-comments-post.php" method="post" id="commentform" class="comment-form">
<div class="o-row">
<div class="o-col-12@md">
<div class="c-form-element"><textarea id="comment" name="comment" cols="45" rows="8" aria-required="true" placeholder="Write a reply..."></textarea></div>
</div>
</div>
<div class="o-row">
<div class="o-col-6@md">
<div class="c-form-element"><input id="author" name="author" placeholder="Your name" type="text" value="" size="30"></div>
</div>
<div class="o-col-6@md">
<div class="c-form-element"><input id="email" name="email" placeholder="Your email" type="text" value="" size="30"></div>
</div>
</div>
<p class="form-submit"><input name="submit" type="submit" id="submit" class="c-button c-button--primary" value="Send Comment"> <input type="hidden" name="comment_post_ID" value="177363" id="comment_post_ID">
<input type="hidden" name="comment_parent" id="comment_parent" value="0">
</p>
<p style="display: none;"><input type="hidden" id="akismet_comment_nonce" name="akismet_comment_nonce" value="ec8b2591f3"></p><!-- the following input field has been added by the Honeypot Comments plugin to thwart spambots -->
<input type="hidden" id="v5G9oGctXfmsdn5ecblkfGeXN" name="yP8BLh8NRztSejTmWytc4tDvn">
<script type="text/javascript">
document.addEventListener("input", function(event) {
if (!event.target.closest("#comment")) return;
var captchaContainer = null;
captchaContainer = grecaptcha.render("recaptcha-submit-btn-area", {
"sitekey": "6LfsdrAaAAAAAMVKgei6k0EaDBTgmKv6ZQrG7aEs",
"theme": "standard"
});
});
</script>
<script src="https://www.google.com/recaptcha/api.js?hl=en&render=explicit" async="" defer=""></script>
<div id="recaptcha-submit-btn-area"> </div>
<noscript>
<style type="text/css">
#form-submit-save {
display: none;
}
</style>
<input name="submit" type="submit" id="submit-alt" tabindex="6" value="Submit Comment">
</noscript><textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100" style="display: none !important;"></textarea><input type="hidden" id="ak_js" name="ak_js" value="1641412154642">
</form>GET https://threatpost.com/
<form class="c-site-search__form" role="search" method="get" action="https://threatpost.com/">
<input type="text" class="c-site-search__field" name="s" placeholder="Search">
<button type="submit" class="c-button c-button--secondary c-button--smaller c-site-search__button" value="Search"><svg class="icon fill">
<use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://threatpost.com/wp-content/themes/threatpost-2018/assets/sprite/icons.svg#icon-search"></use>
</svg> Search</button>
<div class="c-site-search__overlay"></div>
</form>Text Content
Newsletter
SUBSCRIBE TO OUR THREATPOST TODAY NEWSLETTER
Join thousands of people who receive the latest breaking cybersecurity news
every day.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn
Park, Woburn, MA 01801. Detailed information on the processing of personal data
can be found in the privacy policy. In addition, you will find them in the
message confirming the subscription to the newsletter.
*
* *
*
* *
* I agree to my personal data being stored and used to receive the
newsletter
* *
* I agree to accept information and occasional commercial offers from
Threatpost partners
* Comments
This field is for validation purposes and should be left unchanged.
This iframe contains the logic required to handle Ajax powered Gravity Forms.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn
Park, Woburn, MA 01801. Detailed information on the processing of personal data
can be found in the privacy policy. In addition, you will find them in the
message confirming the subscription to the newsletter.
Threatpost
* Cloud Security
* Malware
* Vulnerabilities
* InfoSec Insiders
* Webinars
*
*
*
*
*
*
*
Search
* Microsoft Sees Rampant Log4j Exploit Attempts, TestingPrevious article
* FTC to Go After Companies that Ignore Log4jNext article
‘MALSMOKE’ EXPLOITS MICROSOFT’S E-SIGNATURE VERIFICATION
Author: Elizabeth Montalbano
January 5, 2022 8:00 am
2 minute read
Write a comment
Share this article:
*
*
The info-stealing campaign using ZLoader malware – previously used to deliver
Ryuk and Conti ransomware – already has claimed more than 2,000 victims across
111 countries.
Threat actors are exploiting Microsoft’s digital signature verification to steal
user credentials and other sensitive information by delivering the ZLoader
malware, which previously has been used to distribute Ryuk and Conti ransomware,
researchers have found.
Researchers at Check Point Research (CPR) discovered the cybercriminal group
Malsmoke delivering the campaign, which they traced back to November 2021,
according to a report posted online Wednesday.
“What we found was a new ZLoader campaign exploiting Microsoft’s digital
signature verification to steal sensitive information of users,” warned Kobi
Eisenkraft, a malware researcher at CPR. “People need to know that they can’t
immediately trust a file’s digital signature.”
Attackers already have claimed 2,170 unique victims in 111 countries, mainly in
the United States, Canada and India.
Moreover, attackers are updating attack methods “on a weekly basis” in an
evolving campaign that remains very much active, Eisenkraft said.
ZLoader is a banking trojan that uses web injection to steal cookies, passwords
and other sensitive information from victims’ machines. It attracted the
attention of the Cybersecurity Infrastructure and Security Agency (CISA) in
September 2021 as a threat in the distribution of Conti ransomware, according to
CPR. It also has been used to deliver the Ryuk ransomware.
Attackers also used ZLoader as the payload in multiple spearphishing campaigns,
including one in March 2020 that aimed to take advantage of the outbreak of the
COVID-19 pandemic.
In September 2021, attackers spread ZLoader via Google AdWords in a campaign
that used a mechanism to disable all Windows Defender modules on victim
machines.
JAVA IMPERSONATORS
For its part, Malsmoke previously used ZLoader to target people visiting adult
pornography sites in November 2020 in a campaign that delivered the trojan
through fake Java updates.
The latest campaign by the criminal group also leverages Java in its attack
vector, starting its nefarious activity by installing a legitimate remote
management program that impersonates a Java installation, according to CPR.
Once this occurs, the attacker has full access to the system and is able to
upload/download files and also run scripts, which it proceeds to do, researchers
said.
Eventually, attackers run a file called mshta.exe with the file appContast.dll
as the parameter – which appears to be a Microsoft trusted file – to deliver the
payload.
“The file appContast.dll is signed by Microsoft, even though more information
has been added to the end of the file,” according to the report. “The added
information downloads and runs the final Zloader payload, stealing user
credentials and private information from victims.”
Attackers “have put great effort into defense evasion,” Eisenkraft said, making
it difficult to detect the malicious campaign. According to the report, CPR has
informed Microsoft and Atera, maker of a remote management and monitoring tool,
of its findings.
CPR advises that Microsoft users apply the company’s update for strict
Authenticode verification immediately to avoid falling victim to the campaign,
especially since “it is not applied by default,” Eisenkraft warned.
People also should follow the typical common-sense security practices to avoid
installing programs from unknown sources or sites, clicking on unfamiliar links
or opening unfamiliar attachments they receive in emails, CPR advised.
Password Reset: On-Demand Event: Fortify 2022 with a password-security strategy
built for today’s threats. This Threatpost Security Roundtable, built for
infosec professionals, centers on enterprise credential management,
the new password basics and mitigating post-credential breaches. Join Darren
James, with Specops Software and Roger Grimes, defense evangelist at KnowBe4 and
Threatpost host Becky Bracken. Register & stream this FREE session today –
sponsored by Specops Software.
Write a comment
Share this article:
* Malware
* Web Security
SUGGESTED ARTICLES
FTC TO GO AFTER COMPANIES THAT IGNORE LOG4J
Companies that fail to protect consumer data from Log4J attacks are at risk of
facing Equifax-esque legal action and fines, the FTC warned.
January 5, 2022
MICROSOFT SEES RAMPANT LOG4J EXPLOIT ATTEMPTS, TESTING
Microsoft says it’s only going to get worse: It’s seen state-sponsored and
cyber-criminal attackers probing systems for the Log4Shell flaw through the end
of December.
January 4, 2022
SEGA’S SLOPPY SECURITY CONFESSION: EXPOSED AWS S3 BUCKET OFFERS UP STEAM API
ACCESS & MORE
SEGA’s disclosure underscores a common, potentially catastrophic, flub —
misconfigured Amazon Web Services (AWS) S3 buckets.
January 4, 2022
DISCUSSION
LEAVE A COMMENT CANCEL REPLY
This site uses Akismet to reduce spam. Learn how your comment data is processed.
INFOSEC INSIDER
* WHAT THE RISE IN CYBER-RECON MEANS FOR YOUR SECURITY STRATEGY
December 30, 2021
* THREAT ADVISORY: E-COMMERCE BOTS USE DOMAIN REGISTRATION SERVICES FOR MASS
ACCOUNT FRAUD
December 29, 2021
* GLOBAL CYBERATTACKS FROM NATION-STATE ACTORS POSING GREATER THREATS
December 27, 2021
* TIME TO DITCH BIG-BROTHER ACCOUNTS FOR NETWORK SCANNING
December 21, 2021
* CONVERGENCE AHOY: GET READY FOR CLOUD-BASED RANSOMWARE
December 17, 2021
Newsletter
SUBSCRIBE TO THREATPOST TODAY
Join thousands of people who receive the latest breaking cybersecurity news
every day.
Subscribe now
Twitter
1.8M+ attacks, against half of all corporate networks, are attempting to exploit
#Log4Shell, including with a new r… https://t.co/dDky1faadm
3 weeks ago
Follow @threatpost
NEXT 00:03 01:34 360p 720p HD 1080p HD 360p 720p HD 1080p HD Auto (360p) About
Connatix V144342 Closed Captions About Connatix V144342 1/1 Skip Ad Continue
watching after the ad Visit Advertiser website GO TO PAGE
SUBSCRIBE TO OUR NEWSLETTER, THREATPOST TODAY!
Get the latest breaking news delivered daily to your inbox.
Subscribe now
Threatpost
The First Stop For Security News
* Home
* About Us
* Contact Us
* Advertise With Us
* RSS Feeds
* Copyright © 2022 Threatpost
* Privacy Policy
* Terms and Conditions
* Advertise
*
*
*
*
*
*
*
TOPICS
* Black Hat
* Breaking News
* Cloud Security
* Critical Infrastructure
* Cryptography
* Facebook
* Government
* Hacks
* IoT
* Malware
* Mobile Security
* Podcasts
* Privacy
* RSAC
* Security Analyst Summit
* Videos
* Vulnerabilities
* Web Security
Threatpost
*
*
*
*
*
*
*
TOPICS
* Cloud Security
* Malware
* Vulnerabilities
* Privacy
Show all
* Black Hat
* Critical Infrastructure
* Cryptography
* Facebook
* Featured
* Government
* Hacks
* IoT
* Mobile Security
* Podcasts
* RSAC
* Security Analyst Summit
* Slideshow
* Videos
* Web Security
AUTHORS
* Tara Seals
* Tom Spring
* Lisa Vaas
THREATPOST
* Home
* About Us
* Contact Us
* Advertise With Us
* RSS Feeds
Search
*
*
*
*
*
*
*
InfoSec Insider
INFOSEC INSIDER POST
Infosec Insider content is written by a trusted community of Threatpost
cybersecurity subject matter experts. Each contribution has a goal of bringing a
unique voice to important cybersecurity topics. Content strives to be of the
highest quality, objective and non-commercial.
Sponsored
SPONSORED CONTENT
Sponsored Content is paid for by an advertiser. Sponsored content is written and
edited by members of our sponsor community. This content creates an opportunity
for a sponsor to provide insight and commentary from their point-of-view
directly to the Threatpost audience. The Threatpost editorial team does not
participate in the writing or editing of Sponsored Content.
We use cookies to make your experience of our websites better. By using and
further navigating this website you accept this. Detailed information about the
use of cookies on this website is available by clicking on more information.
ACCEPT AND CLOSE