A Zloader campaign was uncovered that used Microsoft’s digital signature verification mechanism to distribute malware payloads. The Malsmoke hacker group’s effort steals user passwords and has already affected thousands of people in 111 countries.
The offensive campaign
According to Check Point researchers, the campaign has been running since November 2021.
A modified Atera installer (Java[.]msi), a real remote monitoring and management software, initiates the infection.
Although experts were unable to corroborate this, it is believed that the attackers used spear-phishing emails or pirated software resources.
Following execution, Atera generates an agent that provides an endpoint to a threat actor’s email address. The attackers then have complete remote access to the target system.
Scripts, uploads, and downloads of files, such as Zloader malware payloads, are now possible for the attackers.
The recent Zloader effort has so far targeted 2,170 unique computers, with 864 IP addresses from the United States and 305 from Canada.
To escape detection, escalate privileges, deactivate security features, establish persistence, and inject the primary payload into operating processes, the malware installation chain relies on the execution of multiple scripts.
mshta.exe is used to invoke the appContast.dll — a Microsoft-signed programme to which the attackers added a script – which then executes the main Zloader payload using regsvr32.exe.
Check Point discovered that the malware tampered with the legitimate appContast.dll and reboot.dll files to guarantee that malicious code could run unhindered.
The signature’s validity was maintained with only the “File checksum and two spots that match the signature size” updated, but the attackers were able to append data to the signature section.
Despite the fact that Microsoft issued a cure for the problem almost a decade ago, the stringent file verification was eventually removed and replaced with an opt-in update. As a result, the fix has been removed, allowing malware makers to carry out attacks similar to the recent Zloader campaign.
Check Point identified an open folder on the attacker’s server and saw that the adversary was often changing DLL files, according to the company. The malicious DLL file appears to have been downloaded to 2170 unique computers as of January 2022.
“Zloader campaigns have been seen in the wild before in various forms. We can observe that the authors put a lot of work into the evasion tactics in this case. Check Point said that “two noteworthy approaches shown here are leveraging legal RMM software as an initial access to a target machine, and attaching code to a file’s signature while still keeping the signature’s validity and running it using mshta.exe.”
The circumvention of code-signing checks
The appContast[.]dll executes the payload of Zloader, and the registry-editing script is laced with a genuine code signature so that the OS believes it, according to Check Point researchers.
They compared the modified DLL to Atera’s and discovered that the signature size and checksum had been changed slightly.
These modifications aren’t significant enough to invalidate the e-signature. A user can, however, add data to the signature area of a file.
This extra data is needed to download and run the final Zloader payload, as well as steal credentials and other sensitive data.
In the campaign, hackers take advantage of known holes (CVE-2013-3900, CVE-2012-0151, and CVE-2020-1599), and Microsoft has attempted to close the security gaps by releasing more stringent file verification procedures. They were, however, disabled by default, allowing opponents to take advantage of it.
These strikes appear to be highly targeted and may cause significant harm. Valid code signatures are used to avoid detection by security technologies, making it more difficult for victim organisations to discover the danger. Organizations, on the other hand, can examine the indicators of compromise for proactive identification and prevention.