[ad_1]
Widely used ZLoader malware comes in all kinds of criminal hacking, from efforts to steal bank passwords and other sensitive data to ransomware attacks. Now, the ZLoader campaign, which began in November, has infected nearly 2,200 victims in 111 countries by abusing a Windows flaw that Microsoft corrected back in 2013.
Hackers have long used various tactics to sneak Zloader through malware detection tools. In this case, according to researchers from the security company Check Point, the attackers took advantage of a flaw in the verification of Microsoft’s signature, integrity check to ensure that the file is legitimate and reliable. First, they would entice victims to install a legitimate IT remote control tool called Atera to gain access and control of the device; this part is not particularly surprising or new. From there, however, hackers still had to install ZLoader without Windows Defender or another malware scanner detecting or blocking it.
This is where almost a decade of disadvantage has come in handy. Attackers can modify a legitimate dynamic link library file – a common file shared between multiple pieces of code-loading software – to plant their malware. The target DLL file is digitally signed by Microsoft, which proves its authenticity. But the attackers were able to seamlessly add a malicious script to the file without affecting Microsoft’s approval seal.
“When you see a file like a DLL that’s signed, you’re pretty sure you can trust it, but that shows that it’s not always the case,” said Kobe Eisencraft, a malware researcher at Check Point. “I think we will see more of this method of attack.”
Microsoft calls its signing process “Authenticode.” He released an amendment in 2013 that made Authenticode’s signature verification more rigorous to mark files that were finely manipulated in this way. The fix would initially be available to all Windows users, but in July 2014, Microsoft revised its plan to make the update optional.
“As we worked with customers to adapt to this change, we found that the impact on existing software could be significant,” the company wrote in 2014, meaning that the correction causes false positives when legitimate files are marked as potentially malicious. “Therefore, Microsoft no longer plans to impose stricter verification behavior as a default requirement. However, the basic functionality for stricter verification remains in force and can be activated at the discretion of the customer. “
In a statement Wednesday, Microsoft stressed that consumers can protect themselves with the fix, which the company released in 2013. And the company noted that as Check Point researchers noted in the ZLoader campaign, the vulnerability could only be exploited if a device already existed have been compromised or the attackers directly tricked the victims into running one of the manipulated files that appear to be signed. “Customers who apply the update and activate the configuration specified in the Security Council will be protected,” a Microsoft spokesman told WIRED.
But while the hotfix is there and has been around all this time, many Windows devices probably don’t have it enabled, as users and system administrators will need to know about the hotfix and then choose to set it up. Microsoft noted in 2013 that the vulnerability was actively exploited by hackers in “targeted attacks.”
[ad_2]
Source link