The infamous ZLoader malware has returned. And it’s taking advantage of a vulnerability in the way Microsoft digitally signs a specific file type. Check Point Research has the details:
The malware then exploits Microsoft’s digital signature verification method to inject its payload into a signed system DLL to further evade the system’s defenses. This evidence shows that the Zloader campaign authors put great effort into defense evasion and are still updating their methods on a weekly basis.
And here’s how you get pwned:
The infection starts with the installation of Atera software on the victim’s machine. Atera is a legitimate, enterprise remote monitoring and management software, designed for IT use. Atera can install an agent and assign the endpoint to a specific account using a unique .msi file that includes the owner’s email address. The campaign authors created this installer (b9d403d17c1919ee5ac6f1475b645677a4c03fe9) with a temporary email address: ‘Antik.Corp@mailto.plus’. The file imitates a Java installation, just like in previous Zloader campaigns. As of this moment, the exact distribution method for this file is not fully understood.
Once the agent is installed on the machine, the attacker has full access to the system and is able to upload/download files, run scripts, etc. Atera offers a free 30-day trial for new users, which is enough time for the attacker to stealthily gain initial access.
In the next phase of the attack, the attackers download and run two malicious files, one of which is designed to disable certain protections in Windows Defender and the other to load the rest of the malware. From there, a script runs an executable file, and that’s where the operators exploit a hole in Microsoft’s signature verification.
All of this is pretty bad. But there is a mitigation……. Sort of:
We recommend that users apply Microsoft’s update for strict Authenticode verification. To do so, paste these lines into Notepad and save the file with .reg extension before running it.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Wintrust\Config]
“EnableCertPaddingCheck”=”1”
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config]
“EnableCertPaddingCheck”=”1”
We should also note that after applying the fix, some signatures of legitimate benign installers will show up with an invalid signature. In addition, if mshta.exe is not relevant in your environment, you may disable it and mitigate the execution of scripts that are inserted into such files.
So in short, the fix may break other stuff. Thus you should evaluate the risk/reward proposition before implementing this in your environment. Or put another way, you should test the daylights out of this mitigation before you roll it out so that you don’t break anything.
Like this:
Like Loading...
Related
This entry was posted on January 7, 2022 at 10:33 am and is filed under Commentary with tags Security. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Yikes! ZLoader Is Back And It Leverages A Vulnerability In Microsoft’s Digital Signature To Do Evil
The infamous ZLoader malware has returned. And it’s taking advantage of a vulnerability in the way Microsoft digitally signs a specific file type. Check Point Research has the details:
The malware then exploits Microsoft’s digital signature verification method to inject its payload into a signed system DLL to further evade the system’s defenses. This evidence shows that the Zloader campaign authors put great effort into defense evasion and are still updating their methods on a weekly basis.
And here’s how you get pwned:
The infection starts with the installation of Atera software on the victim’s machine. Atera is a legitimate, enterprise remote monitoring and management software, designed for IT use. Atera can install an agent and assign the endpoint to a specific account using a unique .msi file that includes the owner’s email address. The campaign authors created this installer (b9d403d17c1919ee5ac6f1475b645677a4c03fe9) with a temporary email address: ‘Antik.Corp@mailto.plus’. The file imitates a Java installation, just like in previous Zloader campaigns. As of this moment, the exact distribution method for this file is not fully understood.
Once the agent is installed on the machine, the attacker has full access to the system and is able to upload/download files, run scripts, etc. Atera offers a free 30-day trial for new users, which is enough time for the attacker to stealthily gain initial access.
In the next phase of the attack, the attackers download and run two malicious files, one of which is designed to disable certain protections in Windows Defender and the other to load the rest of the malware. From there, a script runs an executable file, and that’s where the operators exploit a hole in Microsoft’s signature verification.
All of this is pretty bad. But there is a mitigation……. Sort of:
We recommend that users apply Microsoft’s update for strict Authenticode verification. To do so, paste these lines into Notepad and save the file with .reg extension before running it.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Wintrust\Config]
“EnableCertPaddingCheck”=”1”
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config]
“EnableCertPaddingCheck”=”1”
We should also note that after applying the fix, some signatures of legitimate benign installers will show up with an invalid signature. In addition, if mshta.exe is not relevant in your environment, you may disable it and mitigate the execution of scripts that are inserted into such files.
So in short, the fix may break other stuff. Thus you should evaluate the risk/reward proposition before implementing this in your environment. Or put another way, you should test the daylights out of this mitigation before you roll it out so that you don’t break anything.
Share this:
Like this:
Related
This entry was posted on January 7, 2022 at 10:33 am and is filed under Commentary with tags Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.