MalSmoke Attack: Atera RMM Tool At Risk

20th January 2022 | Advisory, Blog MalSmoke Attack: Atera RMM Tool At Risk


atera rmm exploit

January 7th, 2022: CyberHoot has investigated a new form of malware known as Malsmoke. This malware is taking advantage of a vulnerability in the way Microsoft digitally signs a specific file type. Cyber threat intelligence firm Check Point Research, says the attack uses the infamous Zloader banking malware to steal account credentials and other private data. The malware has already infected 2,170 unique machines that downloaded the malicious Atera file involved in the exploit. Most of the victims are in the US and Canada, but the campaign has hit more than 100 other countries, including India, Germany, Russia, and the UK. CyberHoot decided to share this advisory with our administrators for awareness purposes.

Atera RMM Critical Risk

For the majority of Managed Service Providers out there, there is very little risk to Atera RMM.  The big three RMM solutions – Connectwise, Datto, and Kaseya, are not at risk to this vulnerability. Having said that, it is always helpful to know more about what hackers are up to, so read on.

Check Point said that the campaign, first seen in early November 2021, uses legitimate remote management software to access the target machine. From there, the attackers exploit Microsoft’s digital signature verification method to inject their malicious payload into a signed Windows DLL file to bypass security defenses.

Specifically, the campaign begins by installing the Atera remote monitoring and management software on a target machine. A legitimate remote tool used by IT professionals, Atera’s product offers a free 30-day trial for new users, an option the attackers are likely using to gain initial access. Once the product is installed, the operators have full control of the system to run scripts and upload or download files.

What Should I Do?

To help you protect yourself and your organization against this particular exploit, Check Point advises you to apply Microsoft’s update for strict Authenticode verification.

For MSPs using Datto RMM, they offer a monitor to check for the presence of this agent. The component (Atera Agent Monitor/Uninstaller [WIN]) is available in the ComStore and can be deployed immediately.

Sources
MalSmoke attack: Zloader malware exploits Microsoft’s signature verification to steal sensitive data

Malsmoke hackers abuse Microsoft signature verification in ZLoader cyberattacks

Datto Information Security Team Notice: Atera Advisory for MSPs

Zero Day – Cybrary Term

Find out how CyberHoot can secure your business.


Schedule a demo

Latest Blogs

Stay sharp with the latest security insights

Discover and share the latest cybersecurity trends, tips and best practices – alongside new threats to watch out for.

CyberHoot Goes Fully Passwordless: Native Passkey Support Arrives for Administrators

CyberHoot Goes Fully Passwordless: Native Passkey Support Arrives for Administrators

For four years, CyberHoot has argued the same thing on its blog: passwords are major weak link. They get reused,...

Read more
Don’t Score an Own Goal: Outsmart World Cup 2026 Scams

Don’t Score an Own Goal: Outsmart World Cup 2026 Scams

The 2026 FIFA World Cup kicked off on June 11th across the United States, Canada, and Mexico. Six million fans...

Read more
Hackers steal your cookies. Chrome may help stop Session Cookie Theft!

Hackers steal your cookies. Chrome may help stop Session Cookie Theft!

Google has built and released a new cookie protection measure that makes stolen session cookies useless on any...

Read more