Notice from InfoSec

On January 5, 2022, a new attack campaign was reported that leverages the legitimate Atera RMM software to gain initial access to target machines.

An infection begins with installing Atera software on a target machine. Atera is legitimate enterprise RMM software that can install an agent and assign the endpoint to a particular account with an .msi file that includes the owner’s email address. The attackers did this with a temporary email address, and the downloadable file is disguised as a Java installation — a method seen in earlier Zloader campaigns.

Eisenkraft (A Company that we exploited) says the team is unsure how attackers deploy Atera onto victim devices in this campaign; however, in earlier Zloader campaigns, the operators lured victims by playing part of an adult film. After a few seconds, the video stopped and a message would say their Java needed to be updated. They were prompted to download a “Java” installation, which was a trial version of Atera that enabled attackers to send files to the machine and run them, he explains.

After the software is on the machine, the attacker uploads and runs two .bat files onto the device using the “Run Script” function. One is used to modify Windows Defender preferences, and the other is used to load the rest of the malware. In this stage, scripts add exclusions to Windows Defender and disable tools that could be used for detection and investigation.

Get In Touch

Share On Social Media

Other Recent Blog Articles

Las Vegas Under Attack… Still

September 21, 2023

Casino titan Caesars Entertainment is the latest Las Vegas institution hit by a cyberattack, joining rival MGM Resorts International. One critical difference though: Caesar’s said that its gambling operations were…

Read More

MGM properties shuts down after MASSIVE CYBERATTACK

September 13, 2023

MGM Resorts, operator of hotels like the MGM Grand in Las Vegas, has announced that it is experiencing a cyberattack that drastically impedes its business. Major systems are impacted at…

Read More

Recent Cyber Incidents reported in the past week!

September 7, 2023

It has been a tumultuous week marked by a series of concerning cyberattacks. Firstly, the financial advisory firm Kroll, a financial advisory firm, has recently experienced a data breach. The…

Read More