A Zloader campaign has been discovered exploiting the digital signature verification process of Microsoft to deploy malware payloads. The campaign, run by Malsmoke hacker group, steals user credentials and has already targeted thousands of victims across 111 countries.
The attack campaign
According to researchers from Check Point, the campaign has been ongoing since at least November 2021.
- The infection starts via a modified Atera installer (Java[.]msi), a genuine remote monitoring and management software.
- It is suspected that attackers used spear-phishing emails or pirated software resources, although researchers could not confirm the same.
- After execution, Atera creates an agent that assigns an endpoint with an email address managed by the threat actor. Then, the attackers gain full remote access to the target system.
- Now, the attackers can run scripts, upload, and download files, such as Zloader malware payloads.
- So far, the recent Zloader campaign targeted 2,170 unique systems, with 864 IP addresses based in the U.S. and 305 in Canada.
The bypass of code-signing checks
Check Point researchers have verified that the appContast[.]dll executes the payload of Zloader and the registry-editing script is laced with valid code signature so that the OS trusts it.
- They compared the modified DLL with Atera’s and spotted a small modification in signature size and checksum.
- These changes aren’t big enough to void the validity of the e-signature. However, a user can add data onto the signature area of a file.
- This added information is used to download and run the final Zloader payload, and steal credentials and other sensitive information.
Hackers exploit known flaws (CVE-2013-3900, CVE-2012-0151, and CVE-2020-1599) in the campaign, and Microsoft has tried to fix the security gaps by releasing more rigid file verification policies. However, they were disabled by default, helping adversaries abuse it for their gain.
Conclusion
These attacks seem to be highly targeted in nature and may cause severe damage. The use of valid code signatures to stay undetected from security tools makes it harder for victim organizations to detect the threat. However, organizations can check out the indicators of compromise for proactive detection and prevention.