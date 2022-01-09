Malware is not new, it was already known, as well as its modus operandi and that insertion of a code in valid file signatures to spread its virus. What can’t be stopped is the Zloader variant.

The new malware is being used, this time, by cybercriminals. That take advantage of the valid signatures of Microsoft to avoid detection by security software: over two thousand victims in 11 countries, the United States, Canada and India currently the most affected.

The Zloader variant was discovered by researchers from Check Point Software Technologies, a well-known Israeli manufacturer of network devices and software, specializing in security-related products such as firewalls and VPNs.

Variant Zloader, the new trick just can’t stop

In the latest report it was reported that the Zloader banking Trojan is using a new script that allows it to covertly infect PCs and install remote logging, to launch malware. Although the group has been active since at least 2020, a new ploy used by Zloader operators has attracted the attention of security researchers.

The Check Point team members have discovered that the Zloader exe is using DLL files with valid Microsoft signatures. The extension it identifies, in operating systems MS-DOS, OS / 2 and Windows, a file that contains executable code, that is a program or a device driver is sent to the user through social engineering, but also through the use of legitimate remote management tools, such as Atera just to give an example.

Once loaded, the libraries then execute built-in attack scripts that try to reach a command and control server, which then pushes additional downloads. By doing so, by containing the valid signature, there is less chance that infected files will be detected by security software such as Microsoft Defender.

The Israeli team was able to discover that the malware cybercriminals had taken legitimate signed libraries, manipulating key pieces of code in such a way as to allow the injection of the attack scripts, without altering the signature. Which therefore remains authentic.

The technique exploits older vulnerabilities in Microsoft’s signature verification technology which, when unpatched, allows threat actors to bypass signature checks.

“These simple changes keep the signature valid, but allow us to add data to the signature section of a file“. The researchers explain: “Since we can’t run compiled code from the signature section of a file – remark – inserting a script written in VBscript or JavaScript and running the file using mshta.exe is a simple solution that may circumvent some EDR, i.e. endpoint detection and response“.

Tampering vulnerabilities have been known for years, the first Zloader was fixed by Microsoft in 2013, but this variant inherent in the security update was later made an activation feature due to potential compatibility issues. Check Point estimated that 2,170 unique IP addresses had run the infected DLL file.

Check Point Chief Researcher, Kobi Eisenkraft, reported that “Administrators looking to protect their networks from potential attacks shouldn’t just install the Microsoft update – his words in an excerpt from an interview with SearchSecurity – and changes to Microsoft’s registry keys, but they should also make sure their systems are up to date with all security patches“.