Microsoft’s Signature Verification abused by the Zloader banking malware

February 4, 2022
Microsoft Signature Verification Brand Abuse Zloader Banking Malware Financial Trojan Windows Vulnerability Signature Verification

Researchers have uncovered a new malware campaign called Zloader abusing a remote monitoring tool and a decade-old vulnerability in Microsoft’s signature verification system to gather user credentials and sensitive data. Based on recent findings, the Zloader infection chain is associated to a cybercriminal gang known as Malsmoke since it is similar to their past campaigns.

According to the researcher, the strategies and tricks used in the infection chain include using legitimate RRM to access the target device. The malware then abuses Microsoft’s digital signature verification system to inject its malware into a signed DLL method to avoid AV solutions further.

The Zloader campaign is believed to have claimed over 2,000 victims across 120 countries as of this month. The most affected entities of this campaign are located in the US, Australia, Canada, Indonesia, and India. Also, it is notable for wrapping itself in layers of evasive tactics and other obfuscation methods to avoid detection and analysis.

 

The Zloader attack sequence starts with installing a legitimate enterprise remote monitoring software known as “Atera.”

The Atera is then utilised to upload and download arbitrary documents and operate malicious scripts. But the precise mode of spreading the installer file remains a mystery as of now.

One of the files is utilised to attach exclusions to Windows Defender. In contrast, a second file continues to recover and initiate next-stage payloads, including a DLL file (appContast[.]dll) used to operate the Zloader binary.

The most interesting thing about the appContast[.]dll is that it is originally an app resolver module for Microsoft and signed by Microsoft with a valid signature. These Microsoft features added to the appContast[.]dll has been edited and injected by the threat actors with malicious scripts to load the final stage of the malware attack.

This unique strategy of the Zloader is made possible by abusing a known vulnerability in Microsoft tracked as CVE-2013-3900 that enables remote threat actors to execute arbitrary code through carefully developed executables by attaching the malicious code snippet while keeping the legitimacy of the file signature.

Researchers believe that the Zloader campaign operators are putting substantial effort into defence evasion and updating their methods every week. They urge users to avoid installing software from suspicious sources and always employ Microsoft’s strict Windows Authenticode signature verification for executable files.

About the author