Researchers have identified a new campaign deploying the Zloader banking malware by exploiting Microsoft sign verification. This strategy helps the malware evade security checks as it delivers the payload into a signed system DLL.
Zloader Malware Exploiting Microsoft Sign Verification
Zloader is old malware that last ran active campaigns in 2021. In their latest malware campaign, the threat actors behind Zloader exploited Microsoft sign verification to deploy the payload stealthily, according to Check Point Research.
As elaborated in their report, the attack begins when the malware abuses legitimate remote management software (RMM) to reach target systems. During their analysis, they found the malware abusing Atera RMM software for this purpose. Regarding how the software works, the report states,
Atera can install an agent and assign the endpoint to a specific account using a unique .msi file that includes the owner’s email address.
That’s what the threat actors exploited as they created a malicious installer with a temporary email address, mimicking Java installation.
Once the malicious installer reaches the device, it gives the attackers access to the target device. They then execute two .bat files on the device to alter Windows Defender and deploy the remaining malware components.
Eventually, the malware runs a malicious executable with a DLL file that bears a valid digital signature from Microsoft. As stated,
The script runs mshta.exe with file appContast.dll as the parameter. When we took a closer look at the DLL, we noticed that the file is signed by Microsoft with a valid signature and its original filename is AppResolver.dll.
The attackers included an additional script in this DLL file to execute a few more tasks. As observed, they modified the digitally signed file at the byte level to retain the valid signatures. This sneaky tactic made them evade EDRs.
Then in the final stage, the malware calls “msiexec.exe” and injects the payload, making it communicate with the C&C.
Recommended Mitigation
The main activity behind the success of this new Zloader campaign is the abuse of Microsoft’s signature validation.
As described, this isn’t a newly discovered flaw. In fact, Microsoft already patched this problem (with CVEs CVE-2020-1599, CVE-2013-3900, and CVE-2012-0151) in 2013. However, it later pulled back the fixes after determining “that impact to [the] existing software could be high.”
So, while the patch is available, it isn’t active by default. Nonetheless, users can enable this fix by modifying registry keys. For this, users can paste the following lines into a Notepad file and save it with the “.reg” extension.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Wintrust\Config]
"EnableCertPaddingCheck"="1"
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config]
"EnableCertPaddingCheck"="1"
However, this will apply strict signature verification that may cause some issues, as the researchers warn,
After applying the fix, some signatures of legitimate benign installers will show up with an invalid signature. In addition, if mshta.exe is not relevant in your environment, you may disable it and mitigate the execution of scripts that are inserted into such files.
Let us know your thoughts in the comments.