Widely used ZLoader malware springs up in all forms of criminal attacks, from attempts to steal banking passwords and other sensitive data to ransomware attacks. Now, a ZLoader campaign started in November has infected nearly 2,200 victims in 111 countries by abusing a Windows vulnerability that Microsoft fixed back in 2013.
Hackers have long used a variety of tactics to sneak Zloader malware detection tools in the past. In this case, based on According to researchers at security firm Check Point, attackers took advantage of a vulnerability in Microsoft’s signature verification, integrity checking to ensure that a file is legitimate and trusted. First, they trick victims into installing a legitimate remote IT management tool called Atera to gain access and control over the device; that part is nothing particularly surprising or novel. From there, however, hackers still need to install ZLoader without Windows Defender or another malware scanner detecting or blocking it.
This is where the nearly decade-old flaw comes in handy. Attackers can modify a legitimate “Dynamic Link Library” file — a common file shared among many software to load code — to create their own malware. The target DLL file is digitally signed by Microsoft, which proves its authenticity. But the attackers were able to discreetly append a malicious script to the file without affecting Microsoft’s seal of approval.
“When you see a file like a signed DLL, you’re pretty sure you can trust it, but this shows that’s not always the case,” said Kobi Eisenkraft, a malware researcher at Check Point. also”. “I think we’ll see more of this attack method.”
Microsoft calls its code signing process “Authenticity Code”. It released a fix in 2013 that verifies Authenticode’s signatures more closely, to flag files that have been manipulated in this way. Initially, the patch would be released to all Windows users, but in July 2014, Microsoft revised its plans, making the update optional.
“As we worked with customers to adapt to this change, we determined that the impact on existing software could be high,” the company said. Written in 2014, meaning the fix caused false positives where legitimate files were flagged as potentially malicious. “As a result, Microsoft no longer plans to enforce stricter verification behavior as a default requirement. However, the basic functionality for tighter verification is maintained and can be activated at the customer’s discretion.
In a statement on Wednesday, Microsoft emphasized that users can protect themselves with a fix the company released in 2013. And the company notes that, as Check Point researchers have shown observed in the ZLoader campaign, the vulnerability can only be exploited if a device is already compromised or the attackers directly trick the victim into running one of the manipulated files that appear to be signed. A Microsoft spokesperson told WIRED: “Customers who apply the update and activate the configuration indicated in the security advisory will be protected.
However, while the fix is available and has been available to date, many Windows devices may not have the feature enabled, as users and system administrators will need to know about the patch and then choose to set it. Microsoft noted in 2013 that the vulnerability was being actively exploited by hackers in “targeted attacks”.
