Notice from InfoSec

On January 5, 2022, a new attack campaign was reported that leverages the legitimate Atera RMM software to gain initial access to target machines.

An infection begins with installing Atera software on a target machine. Atera is legitimate enterprise RMM software that can install an agent and assign the endpoint to a particular account with an .msi file that includes the owner’s email address. The attackers did this with a temporary email address, and the downloadable file is disguised as a Java installation — a method seen in earlier Zloader campaigns.

Eisenkraft (A Company that we exploited) says the team is unsure how attackers deploy Atera onto victim devices in this campaign; however, in earlier Zloader campaigns, the operators lured victims by playing part of an adult film. After a few seconds, the video stopped and a message would say their Java needed to be updated. They were prompted to download a “Java” installation, which was a trial version of Atera that enabled attackers to send files to the machine and run them, he explains.

After the software is on the machine, the attacker uploads and runs two .bat files onto the device using the “Run Script” function. One is used to modify Windows Defender preferences, and the other is used to load the rest of the malware. In this stage, scripts add exclusions to Windows Defender and disable tools that could be used for detection and investigation.