The Sophos Managed Threat Response Team recently detected and responded to a Zloader campaign that delivered CobaltStrike and installed Atera Agent for permanent remote access. MTR observed Zloader leveraging a known vulnerability in Windows that enabled appending malicious script content to digitally signed files provided by Microsoft, CVE-2013-3900. Within the past month, two other organizations have shared research related to this campaign. Checkpoint first published details about how Zloader abuses CVE-2013-3900. Shortly afterward Walmart GlobalTech detailed research into this attack campaign, including their findings that ‘infections are primarily located in the US and Europe’. Given Sophos’s unique observations regarding initial access and the CobaltStrike beacon deployed, we wanted to publish our corresponding research.

On Friday, December 10th, a user at an American automotive company attempted to install a remote access tool for their computer by Google searching “teamviewer download”. Unfortunately, this user accidentally clicked on a malicious advertisement, downloaded and then ran a malicious installation package called TeamViewer.msi.

The malicious download was performed using the domain teamviewer-u[.]com. This command and control domain shared the same hosting IP address as the Zloader domain zoomvideoconference[.]com at the time of our analysis.

19:30

When the downloaded TeamViewer.msi ran, it wrote to disk a malicious executable named internal.exe. The malicious executable launched parallel to the legitimate TeamViewer application: