ZLoader malware abuses Microsoft's file signatures

Sicherheit (Pexels, allgemeine Nutzung)[German]The ZLoader banking Trojan is on the rise again. A new ZLoader malware abuses Microsoft's digital signature verification to spread. The goal is to steal user data from thousands of victims from 111 countries. Security experts from Check Point suspect that the MalSmoke group is behind it. Evidence of a new campaign was discovered in November 2021.


Advertising

ZLoader: Uses Microsoft's file signatures

The security researchers from Check Point Research (CPR), have been observing increasing activity of the ZLoader malware for several weeks. ZLoader is a banking Trojan that spies on victims. What makes the new campaign special is that the malware exploits Microsoft's file signatures to give the appearance of legitimacy. However, the digital watermark used to sign files has been altered.

In 2021, the ZLoader malware was particularly noticeable during the summer months. At that time, the operators behind the malware, MalSmoke group, bought some Google keyword ads to spread various malware strains. Among them was the infamous Ryuk ransomware. In the course of the current campaign, Check Point's security experts have so far identified over 2100 victims in 111 countries. The majority of victims is located in the United States.  

ZLoader Infections
ZLoader Infections, Click to zoom

The infection chain

Check Point's security specialists have identified the following modus operandi of Zloader malware distribution.

  1. The attack starts with the installation of a legitimate remote management program (from Athera), which pretends to be a Java installation.
  2. After this installation, the attacker has full access to the system and is able to upload and download files and execute scripts. The attacker uploads and executes some scripts. This downloads more scripts that execute a mshta.exe with the appContast.dll file as a parameter.
  3. The appContast.dll file actually appears to be signed by Microsoft, although more information has been added to the end of the file.
  4. The added information downloads and executes the final ZLoader payload, which steals victims' user credentials and private information.

Moreover, the culprits continue to develop the malware campaign on a weekly basis to make it more difficult to fight back effectively.


Advertising

MalSmoke group behind the attacks

Based on the analysis of the methodology of the current campaign, compared to previous malware attacks, it can be assumed that the brains behind it are those responsible for MalSmoke.  

Kobi Eisenkraft, malware researcher at Check Point, explains, "People need to know that they can't immediately trust a file's digital signature. We have found a new ZLoader campaign that exploits Microsoft's digital signature verification to steal sensitive information from users. The first evidence of the new campaign was discovered in November 2021.

The attackers, which Check Point attributes to MalSmoke, are targeting the theft of user credentials and victims' private information. So far, Check Point security researchers have counted more than 2,000 victims in 111 countries, and the number is growing.

All in all, the operators of the ZLoader campaign seem to put great efforts into evading defenses and update their methods on a weekly basis. Kobi Eisenkraft strongly recommends users to install Microsoft's Authenticode strict verification update, as it is not applied by default." This can be done by importing the following .reg file with administrative privileges:

Windows Registry Editor Version 5.00

HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Wintrust\Config]
"EnableCertPaddingCheck"="1"
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config]
"EnableCertPaddingCheck"="1"

Check Point has already immediately informed Microsoft and Atera about the results of the investigation. The complete analysis of the current ZLoader campaign with further details on the approach can be read in this article.  


Advertising

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).