The campaign is said to have claimed 2,170 victims across 111 countries as of January 2, 2022, with most of the affected parties located in the U.S., Canada, India, Indonesia, and Australia.
It’s also notable for the fact that it wraps itself in layers of obfuscation and other detection-evasion methods to elude discovery and analysis.
The attack flow commences with the installation of a legitimate enterprise remote monitoring software called Atera, using it to upload and download arbitrary files as well as execute malicious scripts.
However, the exact mode of distributing the installer file remains unknown as yet.
One of the files is used to add exclusions to Windows Defender, while a second file proceeds to retrieve and execute next-stage payloads, including a DLL file called “appContast.dll” that, in turn, is used to run the ZLoader binary (“9092.dll”).
What stands out here is that appContast.dll is not only signed by Microsoft with a valid signature, but also that the file, originally an app resolver module (“AppResolver.dll”), has been tweaked and injected with a malicious script to load the final-stage malware.
This is made possible by exploiting a known issue tracked as CVE-2013-3900 – a WinVerifyTrust signature validation vulnerability – that allows remote attackers to execute arbitrary code via specially crafted portable executables by appending the malicious code snippet while still maintaining the validity of the file signature.