A new Zloader attack was found to have bypassed Microsoft’s digital signature verification checks to deploy a malware payload that stole user credentials from thousands of victims in 111 countries.
Zloader, a banking malware aimed at stealing users’ credentials and personal information, is back with a simple and sophisticated infection path, which appeared in August 2021. confirmed in 2020. Previous Zloader attacks used malicious documents, adult websites, and Google ads to infect systems.
Evidence of the new attack was first seen around early November 2021, and the infection path included a method of using legitimate remote management software (RMM) to infiltrate the system. The management software (RMM) is used to gain initial access to the target machine.
Orchestrated by a threat group called “MalSmoke,” the attack appears to be ongoing, according to researchers at Check Point, which launched and discovered it in November 2021.
Zloader (a.k.a. Terdot, DELoader) is a banking malware first discovered in 2015 that is capable of stealing account credentials and various types of sensitive personal information from compromised systems.
Recently, Zloader has been used to drop more payloads on infected devices, including ransomware payloads from Ryuk and Egregor.
MalSmoke has been deployed in a variety of ways to distribute information-stealing malware, including spamming, malvertising, and using adult content as a lure.
Atera’s remote management software exploited
In the latest attack tracked and analyzed by Check Point, the infection begins by delivering a “Java.msi” file that is a modified version of the Atera installer.
Atera is a legitimate enterprise remote monitoring and management software that is widely used in the IT industry. Therefore, even if the installer has been slightly modified, it is unlikely that the AV tool will alert the victim.
It is unclear how the threat actors tricked victims into downloading the malicious files, but they may have used cracks in pirated software resources or spear phishing emails.
When executed, Atera will launch the agent and configure the email address under the control of the threat group.
After that, the attacker gains full remote access to the system and is able to execute scripts and upload or download files, especially the Zloader malware payload.
Atera’s remote monitoring solution comes with a 30-day free trial, which is long enough to carry out an attack.
Zloader drop
The batch script included in the malicious installer performs several user-level checks to ensure that you have administrative privileges, adds folder exclusions to Windows Defender, and disables tools such as “cmd.exe” and Task Manager. Disable them.
Next, the following additional files will be downloaded to the %AppData% folder.
- 9092.dll – Zloader, the main payload
- adminpriv.exe – Nsudo.exe, which allows you to run the program with elevated privileges
- appContast.dll – used to run 9092.dll and new2 Used to run 9092.dll and new2.bat
- reboot.dll – Also used to run 9092.dll
- new2.bat – Disables “Administrator Approval Mode” and shuts down the computer
- auto.bat Placed in the startup folder for boot persistence
The Zloader runs in “regsvr32.exe” and is injected into the “msiexec.exe” process, which communicates with the C2 server (lkjhgfgsdshja[.]. com).
Finally, the “new2.bat” script will edit the registry and set the permissions of all applications to the administrator level.
Since a reboot is required for this change to take effect, the malware will force the infected system to reboot at this point.
Microsoft’s Code Signing Check Bypassed
The check point makes sure that appContast.dll, which executes the Zloader payload and registry editing script, holds a valid code signature, so the OS essentially trusts it.
Compared with the DLL (from Atera), we found a slight change in checksum and signature size.
<!
These subtle changes are not enough to revoke the validity of the digital signature, but at the same time they allow someone to add data to the signature section of the file.
Microsoft has known about this security gap since 2012 (CVE-2020-1599, CVE-2013-3900, CVE-2012-0151) and has attempted to fix it by releasing increasingly strict file validation policies. However, for some reason, these policies remain disabled by default.
You can solve this problem yourself by enabling a stricter policy as described in this advisory.
You can also paste the following line into Notepad, save it with a .reg extension, and run it.
[HKEY_LOCAL_MACHINESoftware\MicrosoftCryptography\Wintrust\Config].
"EnableCertPaddingCheck"="1"
[HKEY_LOCAL_MACHINE_Software\Wow6432Node\Microsoft\Cryptography˶Wintrust\Config]
"EnableCertPaddingCheck"="1"
Mainly targeting victims in North America
As of January 2, 2021, the latest Zloader campaign has infected 2,170 systems, of which 864 IP addresses are in the United States and another 305 IP addresses are in Canada.
While the number of victims may not seem surprisingly large, these attacks are highly targeted and can cause significant damage to each victim.
Because the route of infection is unknown, the best way to protect against this threat is to follow recommendations for tighter policies and to proactively detect threats using indicators of compromise (IoCs) provided by Check Point researchers. The best way to do this is to proactively detect threats using the indicators of compromise (IoC) provided by Check Point researchers.
Comments