Microsoft's source code signature control system is easily bypassed by Zloader malware
According to security research firm Check Point, a hacker group called MalSmoke launched a Zloader malware infection campaign in November 2021. Up to now, this campaign is still going on and growing in scale.
It is worth noting that the malware is capable of bypassing Microsoft's source code signature checking system. It then deployed malware packages and to date has stolen the personal information of thousands of victims from 111 countries.
Zloader (also known as Terdot or DELoader) is a banking malware first discovered in 2015. It can steal account information and a lot of other private information from infected systems.
Recently, Zloader has also been used to spread other types of malicious code including ransomware such as Ryuk and Egregor.
Abuse of Atera . remote management software
In the most recent campaign, Zloader infected by distributing the Java.msi file as a modified Atera installer.
Atera is an enterprise remote monitoring and management software widely used in the IT field. As a result, anti-virus tools do not warn victims even if the installer has been modified.
It is not clear how the hacker managed to trick the victim into downloading the malicious file. However, they are more likely to be distributed through crack software or email scams.
Once launched, the malicious code will provide remote access to the system to the hacker. From there, the hacker can execute scripts and upload or download files.
Microsoft's source code digital signature checking system has been bypassed
The remarkable thing about this tool is that Microsoft's code signature checking system has been bypassed. Check Point experts confirmed that the appContast.dll file with the Zloader installation and registry modification task contains a valid source code signature. Therefore, the operating system trusts and allows it to execute normally.
Comparing the repaired DLL file with the original Atera DLL, the experts found minor modifications in the checksum and signature size. However, these changes are too small to invalidate the signature but enough to append data to the signature portion of the file.
Microsoft has known about this vulnerability since 2012 and assigned it tracking codes CVE-2020-1599, CVE-2013-3900, and CVE-2021-0151. The company is also trying to release increasingly strict file verification policies. However, for some reason they are still disabled by default.
You can enable strict Microsoft policies by taking the following steps:
- Open Notepad
- Copy the following lines of code into Notepad:
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE/Software/Microsoft/Cryptography/Wintrust/Config] "EnableCertPaddingCheck"="1" [HKEY_LOCAL_MACHINE/Software/Wow6432Node/Microsoft/Cryptography/Wintrust/Config] "EnableCertPaddingCheck"="1"
- Save the Notepad file as a .reg . file
- Double-click the saved file to run it
As of January 2, 2022, the latest Zloader campaign has hit 2,170 different systems.
You should read it
- Microsoft dismantled the ZLoader botnet, naming key members as a deterrent
- Discover a new kind of malicious code that can record the phone call to extort money
- Warning: The new Facebook virus, a malicious code that is spreading rapidly through Messenger
- Threats and risks from malware on USB Flash
- Warning: New malicious code is infecting about 500,000 router devices
- Malware sneaks into iOS through Apple's official distribution channels
- 14 games on the App Store contain malicious code, iPhone users be careful
- Find bug in Emotet malware, prevent it from spreading for 6 months
- 10 million Android devices are preinstalled with malicious code from the factory
- Hackers break into chats on Microsoft Teams to spread malware
- Fileless malware - Achilles heel of traditional antivirus software
- Researchers create malware based on artificial intelligence
Maybe you are interested
9 ways to fix the error of not being able to save files as JPEG or PNG in Photoshop
Download standard and beautiful Word file experience initiative cover template
How to use the file search command on Windows, find saved files
How to split sheet into multiple separate Excel files
How to merge PDF files, merge and join multiple PDF files into a single file
How to clean up iPhone junk, delete junk files to free up iPhone storage