MalSmoke attack: Zloader malware exploits Microsoft’s signature verification to steal sensitive data
Already impacting more than 2,000 victims, the malware is able to modify a DLL file digitally signed by Microsoft, says Check Point Research.
A new malware campaign is taking advantage of a vulnerability in the way Microsoft digitally signs a specific file type. As described on Wednesday by cyber threat intelligence firm Check Point Research, an attack using the infamous Zloader banking malware aims to steal account credentials and other private data and has already infected 2,170 unique machines that downloaded the malicious DLL file involved in the exploit. Most of the victims are in the US and Canada, but the campaign has hit more than 100 other countries, including India, Germany, Russia and the UK.
SEE: Security Awareness and Training policy (TechRepublic Premium)
Attributing the attack to the MalSmoke cybercriminal group, Check Point said that the campaign, first seen in early November 2021, uses legitimate remote management software to access the target machine. From there, the attackers exploit Microsoft’s digital signature verification method to inject their malicious payload into a signed Windows DLL file to skirt past security defenses.
Specifically, the campaign begins by installing the Atera remote monitoring and management software on a target machine. A legitimate remote tool used by IT professionals, Atera’s product offers a free 30-day trial for new users, an option the attackers are likely using to gain the initial access. Once the product is installed, the operators have full control of the system to run scripts and upload or download files.
In the next phase, the attackers download and run two malicious files, one of which is designed to disable certain protections in Windows Defender and the other to load the rest of the malware. From there, a script runs an executable file, and that’s where the operators exploit a hole in Microsoft’s signature verification.
A malicious script is run using a file called appContast.dll, which points to a legitimate Windows system file called AppResolver.dll as the source. Upon analysis, Check Point discovered that this file is signed by Microsoft with a valid signature. Despite that digital signature, the malware is able to append a script to this file to carry out the attack. This is because the operators were able to append data to the signature section of the file without changing the validity of the signature itself.
Ironically, Microsoft had issued a fix for this exploit in 2013, as documented in the following CVEs: CVE-2020-1599, CVE-2013-3900 and CVE-2012-0151. This fix was designed to resolve a vulnerability in the way portable executable (PE) files are validated through digital signatures. But after determining that the fix could impact existing software, the company changed it from a strict update to one that was opt-in. As the fix is disabled by default, many organizations are likely still vulnerable.
“We released a security update (CVE-2013-3900) in 2013 to help keep customers protected from exploitation of this vulnerability,” a Microsoft spokesperson told ZDNet. “Customers who apply the update and enable the configuration indicated in the security advisory will be protected. Exploitation of this vulnerability requires the compromise of a user’s machine or convincing a victim to run a specially crafted, signed PE file.”
To help you protect yourself and your organization against this particular exploit, Check Point advises you to apply Microsoft’s update for strict Authenticode verification.
“People need to know that they can’t immediately trust a file’s digital signature,” said Check Point malware researcher Kobi Eisenkraft. “All in all, it seems like the Zloader campaign authors put great effort into defense evasion and are still updating their methods on a weekly basis. I strongly urge users to apply Microsoft’s update for strict Authenticode verification. It is not applied by default.”