MalSmoke Attack: Atera RMM Tool At Risk

20th January 2022 | Advisory, Blog

January 7th, 2022: CyberHoot has investigated a new form of malware known as Malsmoke. This malware is taking advantage of a vulnerability in the way Microsoft digitally signs a specific file type. Cyber threat intelligence firm Check Point Research, says the attack uses the infamous Zloader banking malware to steal account credentials and other private data. The malware has already infected 2,170 unique machines that downloaded the malicious Atera file involved in the exploit. Most of the victims are in the US and Canada, but the campaign has hit more than 100 other countries, including India, Germany, Russia, and the UK. CyberHoot decided to share this advisory with our administrators for awareness purposes.

Atera RMM Critical Risk

For the majority of Managed Service Providers out there, there is very little risk to Atera RMM. The big three RMM solutions – Connectwise, Datto, and Kaseya, are not at risk to this vulnerability. Having said that, it is always helpful to know more about what hackers are up to, so read on.

Check Point said that the campaign, first seen in early November 2021, uses legitimate remote management software to access the target machine. From there, the attackers exploit Microsoft’s digital signature verification method to inject their malicious payload into a signed Windows DLL file to bypass security defenses.

Specifically, the campaign begins by installing the Atera remote monitoring and management software on a target machine. A legitimate remote tool used by IT professionals, Atera’s product offers a free 30-day trial for new users, an option the attackers are likely using to gain initial access. Once the product is installed, the operators have full control of the system to run scripts and upload or download files.

What Should I Do?

To help you protect yourself and your organization against this particular exploit, Check Point advises you to apply Microsoft’s update for strict Authenticode verification.

For MSPs using Datto RMM, they offer a monitor to check for the presence of this agent. The component (Atera Agent Monitor/Uninstaller [WIN]) is available in the ComStore and can be deployed immediately.