An active ZLoader malware campaign has been discovered, which uses remote monitoring tools and a nine-year-old Microsoft digital signature verification vulnerability to steal user credentials and sensitive data. Check Point Research, an Israeli cybersecurity firm, linked it to a cybercriminal gang known as Malsmoke, noting similarities to past attacks.
“The techniques incorporated in the infection chain include the use of legitimate remote management software (RMM) to gain initial access to the target machine,” Check Point’s Golan Cohen revealed in a report. “The malware then exploits Microsoft’s digital signature verification method to inject its payload into a signed system DLL to further evade the system’s defenses.”
As of January 2, 2022, the campaign is alleged to have claimed 2,170 victims in 111 nations, with most of those impacted living in the United States, Canada, India, Indonesia, and Australia. It’s also known for escaping detection and analysis by wrapping itself in layers of obfuscation and other detection-evasion techniques.
The attack starts with the installation of Atera, a genuine business remote monitoring program capable of uploading and downloading arbitrary files as well as running malicious scripts. However, the precise method of disseminating the installer is yet unknown. One of the files is employed to add exceptions to Windows Defender, while the other retrieves and executes next-stage payloads, including a DLL file named “appContast.dll,” which runs the ZLoader binary (“9092.dll”).
It’s worth noting that appContast.dll is not only signed by Microsoft with a legitimate signature but also that the file, formerly an app resolver module (“AppResolver.dll”), has been altered and injected with an unsafe script to launch the final-stage malware. It is done by leveraging CVE-2013-3900, a WinVerifyTrust signature validation vulnerability, which allows remote attackers to execute arbitrary code through specially crafted portable executables by adding the malicious code snippet while the file signature remains valid.
Even though Microsoft fixed the problem in 2013, the firm revised its intentions in July 2014 to no longer make the stricter verification behavior a default feature on supported Microsoft Windows versions and made it accessible as an opt-in feature. In other words, this remedy is turned off by default, allowing the malware creator to change the signed file.
According to Check Point malware researcher Kobi Eisenkraft, the ZLoader campaign authors have seemed to put a lot of effort into defense evasion and are still updating their methods every week. Users should avoid installing software from unknown sources and use Microsoft’s strict Windows Authenticode signature verification for executable files.