3rd Party Risk Management , Application Security , Cybercrime
ZLoader Malware Exploits Microsoft Signature VerificationAttackers Use Legitimate Remote Management Software for Infection
A Zloader malware campaign has been exploiting Microsoft’s digital signature verification to steal cookies, passwords and sensitive information, according to researchers.
See Also: Rapid Digitization and Risk: A Roundtable Preview
The threat actor, likely MalSmoke, used legitimate remote management software to gain initial access to the target machine says Golan Cohen, malware analyst at Check Point Research, which published the research report. The Israeli cybersecurity company's cyber threat intelligence unit says that it has been tracking the infection chain since early November 2021.
The malware exploits Microsoft’s digital signature verification method by injecting a payload into a signed system DLL to evade the system’s defenses, which, according to Cohen, shows how the Zloader campaign authors put effort into defense evasion and are updating their methods on a weekly basis.
"Zloader campaigns have been previously spotted in the wild in multiple forms. Two noteworthy ways seen here are using legitimate RMM software as an initial access to a target machine, and appending code to a file’s signature while still maintaining the signature’s validity and running it using mshta.exe," Cohen says.
Full Access Enabled
Remote management software is always going to be a choice vector of attack, simply because it can give criminals what will look like a legitimate route to take over target devices and do with them what they will, says Alan Calder, CEO of risk management solutions provider GRC International Group.
“Digital signature is one of the most important mechanisms Microsoft provides. The process was created to prevent malicious payload distribution campaigns, but in this case, it has enabled the opposite to happen." says Kevin Bocek, vice president ecosystem and threat intelligence at cybersecurity firm Venafi. "We’ve seen similar high-profile breaches focusing attacks on developers using banking Trojans in the past, and these Malsmoke Zloader attacks are making use of Atera’s remote monitoring and management software, which is commonly used across the globe. This gives the attackers full access to the victim’s systems, enabling them to upload or download files at will."
Bocek says that these breaches utilizing the vulnerability in Microsoft’s digital signatures serve as a reminder to organizations that they need to be alert to code-signing attacks. Blindly trusting that digital signatures are secure simply isn’t enough. Especially in the age of cloud computing, "we must learn the quickly secure software development pipelines. Instead, organizations need to put measures in place to constantly review and protect these incredibly powerful machine identities.”
During analysis the researchers discovered an open directory containing files used in the campaign hosted on teamworks455[.]com,.
“Every few days the author makes changes to the files and the check.php script returns a different DLL file with the same behavior, but a different hash. In the file `entries’ we can see a list of victims that are infected with Zloader and their country of origin," the researchers say.
As of Jan. 2, the Check Point Research team says there were 2,170 unique victim IPs that downloaded the malicious DLL file. Most of the victims, it added, reside in the United States and Canada.
The infection chain starts with the installation of Atera software on the victim's machine. Atera is a legitimate, enterprise remote monitoring and management software, designed for IT use. It can install an agent and assign the endpoint to a specific account using a unique .msi file that includes the owner’s email address.
"The campaign authors created this installer (b9d403d17c1919ee5ac6f1475b645677a4c03fe9) with a temporary email address: ‘Antik.Corp@mailto.plus’. The file imitates a Java installation, just like in previous Zloader campaigns. As of this moment, the exact distribution method for this file is not fully understood," Cohen says.
Upon installation of the agent on a victim machine, the attacker gains full access to the system and is able to download and upload files and run scripts say the researchers.
"Atera offers a free 30-day trial for new users, which is enough time for the attacker to stealthily gain initial access. Previously, Atera was used by the Conti ransomware group to gain persistence and remote access," Check Point says. (see: Conti Ransomware Threat Rising as Group Gains Affiliates).
Once the agent is successfully installed, the attacker uploads and runs two .bat files onto the device using the Run Script function. The .bat is used to modify Windows Defender preferences and to load the rest of the malware.
In addition, Cohen says that the rest of the files are hosted on the domain teamworks455[.]com and are downloaded from there. These files also include a load.bat script, which downloads and runs new.bat, which checks for admin privileges and requests them using the BatchGotAdmin script.
"It then continues to download another bat file (new1.bat). This new script adds more exclusions to Windows Defender for different folders, disables different tools on the machine that could be used for detection and investigation, such as cmd.exe and the task manager," Cohen says.
The process also downloads files that enable the threat actor to run programs with elevated privileges, disable admin approval mode and shut down the computer as well as allow boot persistence.
Analysis of a file, dubbed appContast.dll, showed that it was signed by Microsoft with a valid signature, and its original filename AppResolver.dll was injected with a malicious script to load the final-stage malware.
"Comparing the two files, we see that in the malicious DLL, the author appended a script to the file, which then enters a sleeping phase," the research report states. "Next, it runs the main Zloader payload, ultimately injecting its payload into the running process." An installer then communicates with the command and control server at the domain lkjhgfgsdshja[.]com, the researchers say.
"This is made possible by exploiting a known issue tracked as CVE-2013-3900, a WinVerifyTrust signature validation vulnerability that allows remote attackers to execute arbitrary code via specially crafted portable executables by appending the malicious code snippet while still maintaining the validity of the file signature," the researchers say.
Threat actor MalSmoke, Check Point Research says, has previously run campaigns that have some similarities with the current one.
"Malware in previous campaigns by MalSmoke are known to masquerade as Java plugins, which is occurring in this case. There is a connection between the registrar information of the domain teamworks455[.]com, where the current campaign files are hosted, and the domain pornislife[.]online which was linked to a MalSmoke campaign in 2020," the researchers say.
During investigating the ‘entries’ file, researchers say they found two IP addresses that may be related to the attackers. The first address, 185[.]191[.]34[.]223, was spotted in an IP blacklist that is categorized as cybercrime.
"The second address, 185[.]191[.]34[.]209, can be seen attempting to download the payload multiple times, using different user-agents. This could indicate that the authors were testing their payload," the researchers say.
To mitigate the issue, the researchers recommend that vendors "conform to the new Authenticode specifications to have these settings as default, instead of an opt-in update. Until that happens, we can never be sure if we can truly trust a file’s signature."