ZLoader Malware leverages Microsoft signature verification

Third-party risk management, Application security, Cybercrime

Attackers use legitimate remote management software for infections

Prajeet Nair (@prajeetspeaks) •
January 5, 2022

A Zloader malware campaign exploited Microsoft’s digital signature verification to steal cookies, passwords and sensitive information, researchers say.

See also: How to improve your defenses with Security Analytics

The threat actor, likely MalSmoke, used legitimate remote management software to gain initial access to the target machine, says Golan Cohen, malware analyst at Check Point Research, who published the research report. The Israeli cybersecurity firm’s cyber threat intelligence unit says it has been following the chain of infection since early November 2021.

The malware exploits Microsoft’s digital signature verification method by injecting a payload into a signed system DLL to evade system defenses, which Cohen says shows how the authors of the Zloader campaign are making efforts to evade defense and update their methods on a weekly basis.

“Zloader campaigns have already been spotted in the wild in several forms. Two notable ways seen here are using legitimate RMM software as the initial access to a target machine and adding code to a file signature. while maintaining the validity of the signature and running it using mshta.exe, ”Cohen explains.

Full access enabled

Remote management software will always be the attack vector of choice, simply because it can give criminals what will look like a legitimate avenue to take control of target devices and do whatever they want with them, says Alan. Calder, CEO of the risk management solutions provider. GRC International Group.

“The digital signature is one of the most important mechanisms provided by Microsoft. The process was created to prevent malicious payload distribution campaigns, but in this case it allowed the reverse to happen, ”said Kevin Bocek, vice president of ecosystem and threat intelligence at the company. Venafi cybersecurity. “We have seen similar high profile violations. focusing attacks on developers using banking Trojans in the past, and these Malsmoke Zloader attacks use Atera’s remote monitoring and management software, which is commonly used around the world. This gives attackers full access to victim’s systems, allowing them to upload or download files at will. “

Bocek says these breaches using Microsoft’s digital signature vulnerability remind organizations to be vigilant against code signing attacks. Blindly trusting the security of digital signatures is simply not enough. Especially in the age of cloud computing, “we have to learn quickly secure software development pipelines. Instead, organizations need to put measures in place to continuously review and protect these incredibly powerful machine identities. “

Analysis of attacks

During the analysis, the researchers discovered an open directory containing the files used in the campaign hosted on teamworks455[.]com ,.

“Every few days the author makes changes to the files and the check.php script returns a different DLL file with the same behavior, but a different hash. In the “entries” file, we can see a list of victims infected with Zloader and their country of origin, ”the researchers said.

As of January 2, the Check Point Research team said there were 2,170 unique victim IP addresses who downloaded the malicious DLL file. Most of the victims, he added, reside in the United States and Canada.

The chain of infection begins with the installation of the Atera software on the victim’s machine. Atera is legitimate business remote monitoring and management software designed for IT use. It can install an agent and assign the endpoint to a specific account using a single .msi file that includes the owner’s email address.

“The campaign authors created this installer (b9d403d17c1919ee5ac6f1475b645677a4c03fe9) with a temporary email address: ‘[email protected]’. The file mimics a Java installation, just like in previous Zloader campaigns. As of this point, the exact distribution method for this record is not fully understood, ”Cohen says.

When installing the agent on a victimized machine, the attacker gains full system access and can upload and download files and run scripts, the researchers said.

“Atera is offering a 30-day free trial for new users, which is enough for the attacker to stealthily gain initial access. Previously, Atera was used by the Conti ransomware group to gain persistence and remote access, ”says Check Point. (see: Conti Ransomware Threat Rises As Group Gains Affiliates).

After the agent is successfully installed, the attacker downloads and runs two .bat files on the device using the Run Script function. The .bat is used to change Windows Defender preferences and to load the rest of the malware.

Additionally, Cohen says the rest of the files are hosted on the teamworks455 domain.[.]com and are downloaded from there. These files also include a load.bat script, which downloads and runs new.bat, which checks for administrator privileges and requests them using the BatchGotAdmin script.

“It then continues to download another bat file (new1.bat). This new script adds more exclusions to Windows Defender for different folders, disables different tools on the machine that could be used for detection and investigation, such as cmd.exe and task manager, ”Cohen says.

The process also downloads files that allow the malicious actor to run programs with elevated privileges, disable administrator approval mode and shut down the computer, as well as allow startup persistence.

Analysis of a file, named appContast.dll, showed that it was signed by Microsoft with a valid signature, and its original filename AppResolver.dll was injected with a malicious script to load the malware from last step.

“By comparing the two files, we see that in the malicious DLL, the author added a script to the file, which then goes into a sleep phase,” the research report states. “Then it runs the main Zloader payload, ultimately injecting its payload into the current process.” An installation program then communicates with the command and control server of the domain lkjhgfgsdshja[.]com, say the researchers.

“This is made possible by exploiting a known issue identified as CVE-2013-3900, a WinVerifyTrust signature validation vulnerability that allows remote attackers to execute arbitrary code through specially crafted portable executables by adding the malicious code snippet while maintaining the validity of the signature file, ”say the researchers.


Threat actor MalSmoke, according to Check Point Research, has already run campaigns that have some similarities to the current one.

MalSmoke malware from previous campaigns is known to masquerade as Java plugins, which happens in this case. There is a connection between the domain registrar information teamworks455[.]com, where the current campaign files are hosted, and the pornislife domain[.]online that was linked to a MalSmoke campaign in 2020, ”the researchers say.

During the investigation of the “entries” file, researchers said they found two IP addresses that could be linked to the attackers. The first address, 185[.]191[.]34[.]223, was spotted in an IP blacklist classified under the cybercrime category.

“The second address, 185[.]191[.]34[.]209, can be seen trying to download the payload multiple times, using different user agents. This could indicate that the authors were testing their payload, ”the researchers say.

To mitigate the problem, the researchers recommend that vendors “conform to the new Authenticode specifications to have these settings by default, instead of a membership update.” Until that happens, we can never be sure that we can truly trust the signing of a file. “