Security researchers are watching a new campaign in which attackers abuse Microsoft’s electronic signature verification to deploy Zloader, a banking malware designed to steal user credentials and private information.
This campaign was spotted in early November 2021, according to the Check Point Research team, which released its findings today. As of January 2, they said, 2,170 IP addresses of unique victims around the world had downloaded the malicious DLL file. Most of the victims are in the United States (864), Canada (305) and India (140). About a third of them are businesses, a small portion is related to education and government, and the rest are individuals.
Zloader is not a new form of malware; these campaigns have already been observed in nature in several forms. Zloader’s previous campaigns, seen in 2020, used malicious files, adult websites and Google ads to attack target systems, the researchers said.
Here, attack operators seem particularly focused on evasion techniques. They use legitimate remote management (RMM) software to gain initial access to target machines and add code to a file’s signature while keeping the signature valid, then run it using mshta .exe.
“The new and most interesting thing, from my point of view, is that this is the first time that we notice [a] The Zloader campaign leverages Microsoft’s digital signature verification method to inject its payload into a signed system DLL to further evade system defenses, ”said Kobi Eisenkraft, malware researcher at Check Point. “This evidence shows that the authors of the Zloader campaign went to great lengths to bypass the defense. . “
An infection begins with the installation of the Atera software on a target machine. Atera is legitimate corporate RMM software that can install an agent and assign the endpoint to a particular account with an .msi file that includes the owner’s email address. The attackers did this with a temporary email address, and the downloadable file is disguised as a Java installation – a method seen in previous Zloader campaigns.
Eisenkraft says the team does not know how attackers are deploying Atera to victim devices in this campaign; however, in previous Zloader campaigns, operators have lured victims by playing part of an adult movie. After a few seconds the video stopped and a message said their Java needed to be updated. They were asked to download a “Java” installation, which was a trial version of Atera that allowed attackers to send files to the machine and execute them, he explains.
Once the software is installed on the machine, the attacker downloads and executes two .bat files on the device using the “Run script” function. One is used to change Windows Defender preferences, and the other is used to load the rest of the malware. At this point, the scripts add exclusions to Windows Defender and disable tools that could be used for detection and investigation.
The script then runs mshta[.]exe with appContast[.]dll as a parameter. The researchers noticed that this file was signed by Microsoft with a valid signature, and by comparing the two files, they found that the attackers had added a script to the file for the malicious DLL.
“These simple changes to a signed file maintain the validity of the signature, while still allowing us to add data to the signature section of a file,” the Check Point team explained in a technical brief by results. In this campaign, the added information allows attackers to download and run the Zloader payload.
This is the result of a security vulnerability mentioned in CVE-2020-1599, CVE-2013-3900 and CVE-2012-0151, they noted.
Microsoft addressed the signature verification issue in a 2013 security bulletin and pushed a fix. However, he said after the implementation that they “determined that the impact on existing software could be high.” In July 2014, they swapped the stricter file checking for an optional update, the team wrote. Unless someone manually installed the patch, they weren’t protected. Many security vendors will let the malicious signed file run because it has a valid digital signature from Microsoft, Eisenkraft explains.
Eisenkraft says it doesn’t appear that attackers are looking for specific types of data; most passwords and sensitive information have been compromised.
Check Point attributes the November campaign to Malsmoke. This is the first time that researchers have seen the group abuse Microsoft’s digital signatures, Eisenkraft says, but they have noticed similarities to previous Malsmoke campaigns. Its previous attacks were known to disguise malware as Java plugins, which they claim is happening in this case.
There is also a connection between the registrar information for the domain teamworks455[.]com, where the current campaign files are hosted, and another domain linked to a separate Malsmoke 2020 campaign.