Microsoft's source code signature control system is easily bypassed by Zloader malware

According to security research firm Check Point, a hacker group called MalSmoke launched a Zloader malware infection campaign in November 2021. Up to now, this campaign is still going on and growing in scale.

It is worth noting that the malware is capable of bypassing Microsoft's source code signature checking system. It then deployed malware packages and to date has stolen the personal information of thousands of victims from 111 countries.

Zloader (also known as Terdot or DELoader) is a banking malware first discovered in 2015. It can steal account information and a lot of other private information from infected systems.

Recently, Zloader has also been used to spread other types of malicious code including ransomware such as Ryuk and Egregor.

Abuse of Atera . remote management software

In the most recent campaign, Zloader infected by distributing the Java.msi file as a modified Atera installer.

Atera is an enterprise remote monitoring and management software widely used in the IT field. As a result, anti-virus tools do not warn victims even if the installer has been modified.

It is not clear how the hacker managed to trick the victim into downloading the malicious file. However, they are more likely to be distributed through crack software or email scams.

Once launched, the malicious code will provide remote access to the system to the hacker. From there, the hacker can execute scripts and upload or download files.

Microsoft's source code digital signature checking system has been bypassed

The remarkable thing about this tool is that Microsoft's code signature checking system has been bypassed. Check Point experts confirmed that the appContast.dll file with the Zloader installation and registry modification task contains a valid source code signature. Therefore, the operating system trusts and allows it to execute normally.

Comparing the repaired DLL file with the original Atera DLL, the experts found minor modifications in the checksum and signature size. However, these changes are too small to invalidate the signature but enough to append data to the signature portion of the file.

Microsoft has known about this vulnerability since 2012 and assigned it tracking codes CVE-2020-1599, CVE-2013-3900, and CVE-2021-0151. The company is also trying to release increasingly strict file verification policies. However, for some reason they are still disabled by default.

You can enable strict Microsoft policies by taking the following steps:

1. Open Notepad
2. Copy the following lines of code into Notepad:

Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE/Software/Microsoft/Cryptography/Wintrust/Config] "EnableCertPaddingCheck"="1" [HKEY_LOCAL_MACHINE/Software/Wow6432Node/Microsoft/Cryptography/Wintrust/Config] "EnableCertPaddingCheck"="1"

1. Save the Notepad file as a .reg . file
2. Double-click the saved file to run it

As of January 2, 2022, the latest Zloader campaign has hit 2,170 different systems.

David Pac

Update 06 January 2022