Yikes! ZLoader Is Back And It Leverages A Vulnerability In Microsoft’s Digital Signature To Do Evil

The infamous ZLoader malware has returned. And it’s taking advantage of a vulnerability in the way Microsoft digitally signs a specific file type. Check Point Research has the details:

The malware then exploits Microsoft’s digital signature verification method to inject its payload into a signed system DLL to further evade the system’s defenses. This evidence shows that the Zloader campaign authors put great effort into defense evasion and are still updating their methods on a weekly basis.

And here’s how you get pwned:

The infection starts with the installation of Atera software on the victim’s machine. Atera is a legitimate, enterprise remote monitoring and management software, designed for IT use. Atera can install an agent and assign the endpoint to a specific account using a unique .msi file that includes the owner’s email address. The campaign authors created this installer (b9d403d17c1919ee5ac6f1475b645677a4c03fe9) with a temporary email address: ‘Antik.Corp@mailto.plus’. The file imitates a Java installation, just like in previous Zloader campaigns. As of this moment, the exact distribution method for this file is not fully understood.

Once the agent is installed on the machine, the attacker has full access to the system and is able to upload/download files, run scripts, etc. Atera offers a free 30-day trial for new users, which is enough time for the attacker to stealthily gain initial access. 

In the next phase of the attack, the attackers download and run two malicious files, one of which is designed to disable certain protections in Windows Defender and the other to load the rest of the malware. From there, a script runs an executable file, and that’s where the operators exploit a hole in Microsoft’s signature verification.

All of this is pretty bad. But there is a mitigation……. Sort of:

We recommend that users apply Microsoft’s update for strict Authenticode verification. To do so, paste these lines into Notepad and save the file with .reg extension before running it.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Wintrust\Config]

“EnableCertPaddingCheck”=”1”

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config]

“EnableCertPaddingCheck”=”1”

We should also note that after applying the fix, some signatures of legitimate benign installers will show up with an invalid signature. In addition, if mshta.exe is not relevant in your environment, you may disable it and mitigate the execution of scripts that are inserted into such files.

So in short, the fix may break other stuff. Thus you should evaluate the risk/reward proposition before implementing this in your environment. Or put another way, you should test the daylights out of this mitigation before you roll it out so that you don’t break anything.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: