Hackers Exploiting Microsoft signature verification to drop Zloader Malware

The Malsmoke hacking group is now abusing a vulnerability in Microsoft’s e-signature verification tool to deploy malware and steal user data.

An ongoing ZLoader malware campaign has been uncovered exploiting remote monitoring tools and a nine-year-old flaw concerning Microsoft’s digital signature verification to siphon user credentials and sensitive information.

Zloader (aka Terdot and DELoader) is a banking malware first spotted back in 2015 that can steal account credentials and various types of sensitive private information from infiltrated systems.

Check Point Research (CPR), the first security firm that discovered this virus, said that this malicious content is being used by Malsmoke hacking group. 

The campaign is said to have claimed 2,170 victims across 111 countries as of January 2, 2022, with most of the affected parties located in the U.S., Canada, India, Indonesia, and Australia. It’s also notable for the fact that it wraps itself in layers of obfuscation and other detection-evasion methods to elude discovery and analysis.

The new campaign is thought to have started in November 2021. During its initial attack stages, the malware’s operators have decided to use Atera, legitimate remote management software, as the springboard to infect a system.

Atera is a legitimate enterprise remote monitoring and management software widely used in the IT sector. As such, AV tools are unlikely to warn the victim, even if the installer is slightly modified.

This is made possible by exploiting a known issue tracked as CVE-2013-3900 — a WinVerifyTrust signature validation vulnerability — that allows remote attackers to execute arbitrary code via specially crafted portable executables by appending the malicious code snippet while still maintaining the validity of the file signature.

More recently, Zloader has been used to drop further payloads on infected devices, including ransomware payloads such as Ryuk and Egregor.

CPR believes that MalSmoke is behind the latest campaign due to coding similarities, the use of Java plugins as fake installers, and connections between registrar records for domains previously used by the group to spread Raccoon Stealer malware.

Microsoft explained that updates to fix these flaws were already released. However, they are not installed by default. This means that consumers who will not download the updates manually will certainly be affected by the new computer virus. 

“It seems like the ZLoader campaign authors put great effort into defense evasion and are still updating their methods every week,” Check Point malware researcher, Kobi Eisenkraft, said, urging users to refrain from installing software from unknown sources and apply Microsoft’s strict Windows Authenticode signature verification for executable files.

Microsoft and Atera have been made aware of the researchers’ findings.