A ZLoader malware campaign is exploiting a nine-year-old flaw in Microsoft’s digital signature verification to steal credentials and sensitive information using remote monitoring tools.
According to Check Point Research, which has been tracking the sophisticated infection chain since November 2021, it has been traced to a cybercriminal group dubbed MalSmoke, citing similarities to previous attacks. “The infection chain incorporates legitimate remote management software (RMM) to gain access to the target machine.” After injecting its payload into a signed DLL, the malware further evades system defenses by exploiting Microsoft’s digital signature verification.
As a banking Trojan, ZLoader has been used by many attackers to steal cookies, passwords, and other private information from victims’ machines, but it has also gained notoriety by acting as a platform. form of distribution of Conti ransomware, according to an American study. Department of State Notice. The Cybersecurity and Infrastructure Security Agency (CISA) will be established in September 2021.
As of January 2, 2022, the campaign has claimed 2,170 victims in 111 countries, with the majority of victims in the United States, Canada, India, Indonesia and Australia. It also evades detection and analysis by hiding and using other detection-evasion methods.
Users are tricked into installing legitimate enterprise remote monitoring software called Atera, which is then used to download arbitrary files and execute malicious scripts. However, the exact distribution method of the installation file is still unknown.
Two of the files are used to exclude Windows Defender from the attack, and a third is used to retrieve and execute the next step’s payloads, including a DLL called “appContast.dll” which is used to execute the ZLoader binary (“9092.dll”).
It is worth noting that appContast.dll is not only signed by Microsoft, it has also been injected with a malicious script to load the end-stage malware. Originally an application resolver (“AppResolver.dll”), the file was modified and injected with a malicious script to load end-stage malware.
A vulnerability identified as CVE-2013-3900 — a WinVerifyTrust signature validation flaw — allows remote attackers to execute arbitrary code via crafted portable executables by making sufficiently subtle changes to the file without invalidating the digital signature.
Although Microsoft fixed the bug in 2013, it revised its plans in July 2014 to no longer “enforce the stricter verification behavior as a default feature on supported versions of Microsoft Windows” and made it available in as an optional feature. The malware author can modify a signed file when this patch is disabled by default, Cohen explained.
According to Check Point malware researcher Kobi Eisenkraft, the authors of the ZLoader campaign work on defense evasion methods every week and advise users to refrain from installing software from unknown sources and to check executable files with Microsoft’s Windows Authenticode signature verification.