Zloader Installs Remote Access Backdoors and Delivers Cobalt Strike The Sophos Managed Threat Response Team recently detected and responded to a Zloader campaign that delivered CobaltStrike and installed Atera Agent for permanent remote access. MTR observed Zloader leveraging a known vulnerability in Windows that enabled appending malicious script content to digitally signed files provided by Microsoft, CVE-2013-3900. Within the past month

Zloader is a banking trojan with historical ties to the Zeus malware.  Recently, Egregor and Ryuk ransomware affiliates used Zloader for the initial point of entry. Zloader featured VNC remote access capabilities and was offered on the infamous Russian-speaking cybercrime forum exploit[.]in.

Zloader infects users by leveraging malicious web advertising to redirect users into downloading malicious MSI files. Over the last year, Zloader MSI files were disguised as installers for remote working applications such as Zoom, TeamViewer, and Discord.

The Sophos Managed Threat Response Team recently detected and responded to a Zloader campaign that delivered CobaltStrike and installed Atera Agent for permanent remote access. MTR observed Zloader leveraging a known vulnerability in Windows that enabled appending malicious script content to digitally signed files provided by Microsoft, CVE-2013-3900. Within the past month, two other organizations have shared research related to this campaign. Checkpoint first published details about how Zloader abuses CVE-2013-3900. Shortly afterward Walmart GlobalTech detailed research into this attack campaign, including their findings that ‘infections are primarily located in the US and Europe’. Given Sophos’s unique observations regarding initial access and the CobaltStrike beacon deployed, we wanted to publish our corresponding research.

On Friday, December 10th, a user at an American automotive company attempted to install a remote access tool for their computer by Google searching “teamviewer download”. Unfortunately, this user accidentally clicked on a malicious advertisement, downloaded and then ran a malicious installation package called TeamViewer.msi.

The malicious download was performed using the domain teamviewer-u[.]com. This command and control domain shared the same hosting IP address as the Zloader domain zoomvideoconference[.]com at the time of our analysis.

19:30

When the downloaded TeamViewer.msi ran, it wrote to disk a malicious executable named internal.exe. The malicious executable launched parallel to the legitimate TeamViewer application: