Malsmoke hackers abuse Microsoft signature verification in ZLoader cyberattacks

Malsmoke hackers abuse Microsoft signature verification in ZLoader cyberattacks

The hacking group Malsmoke is now exploiting vulnerabilities in Microsoft's e - signature verification tool to use malware and steal user data.

On Wednesday, Check Point Research (CPR) reported that to date, more than 2,100 victims have been found worldwide in a new operation, with the majority living in the United States, Canada, and India - although evidence of malware has been found in 111 countries.

Named ZLoader, the malicious code was used in the past to deliver banking Trojans and has been closely linked to several ransomware series.

The new campaign is expected to begin in November 2022. During the initial stages of an attack, malware operators have decided to use Atera, a legitimate remote control software, as a dashboard to system to introduce.

Although it is not known how the malicious package in which Atera currently runs is unknown, when installed, Atera will also show a fake Java installer. This file, however, is busy installing an agent that connects the terminating PC to an attacker's account, allowing them to remotely send malicious payloads.

Two .bat files are then uploaded to the victim's machine: the first one is used to troubleshoot Windows Defender, and the second one is used to load ZLoader. During this phase, a Windows Defender ban will be added to stop the cybersecurity tool from issuing alerts, existing software that may detect manipulation disabled task manager and cmd.exe, and more scripts will be used to disable "Admin Agreement Mode".

Additionally, a script is added to the boot directory for stability and a PC restart is implemented system changes.

READ  Don’t forget the Apple car, I want an Apple iBike

In particular, a signed, malicious .DLL file is being used to import a device with ZLoader, according to to the team. CPR reported that the file was modified and additional code was entered using a known case in the signature verification of crafted PE files, which was referenced in CVE-2022-1599, CVE -2013-3900, and CVE-2012-0151.

Although a solution was rolled out years ago, wrong things were blamed on legitimate installers.

"Microsoft addressed the issue in 2013 with Security Journal and pushed for a solution," the researchers say. "However, they announced after their execution that they were" proving that the impact on existing software could be high. "So, in July 2014, they pulled the more valid file verification. hardened and changed it to an optional update. In other words, this configuration has been fundamentally disabled, which allows the malware author to modify the signed file. "

The last ZLoader payment burden is used. This malware, a banking Trojan in its own right, is capable of stealing user credentials, cookies and sensitive information - including financial account login data - as well as background and loads for another malicious code.

In September, Microsoft warned that ZLoader is spreading it through Google keyword ads to hijack vulnerable PCs with Conti ransomware.

CPR believes MalSmoke is behind the latest campaign because of similar coding, the use of Java plugins as rogue installers, and because of links between registrar records for domains previously used by the organization to Distribute malware Raccoon Stealer.

According to the researchers, the exploited authentication gap is a difficult area as Microsoft's more robust signature options are not fundamentally enabled - and although the cybersecurity company recommends that hackers -supplying Microsoft update for Authenticode authentication, this can also show legitimate installers as an invalid signature.

"Overall, the authors of the ZLoader campaign seem to be putting a lot of effort into circumventing defenses and still updating their tactics every week," said Kobi Eisenkraft, Malware Researcher at Check Point. "I strongly urge users to apply Microsoft update for Authenticode Strict Verification. It will not be implemented by default."

Microsoft and Atera were made aware of the researchers' findings.

"We released a security update (CVE-2013-3900) in 2013 to help keep customers protected from exploiting this vulnerability," a Microsoft spokesman said. to ZDNet. "Customers who implement the update and enable the configuration specified in the security advice will be protected. Exploiting this vulnerability requires compromising a user device or forcing a victim to specifically sign a PE file. "

Previous and related broadcast

Do you have a tip? Contact securely via WhatsApp | Signal at +447713 025 499, or more on Keybase: charlie0

Related Posts

Deja una respuesta

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *


We use cookies to ensure that we give the best user experience on our website. If you continue to use this site we will assume that you agree. More information