Security News > 2022 > January > New Zloader Banking Malware Campaign Exploiting Microsoft Signature Verification
An ongoing ZLoader malware campaign has been uncovered exploiting remote monitoring tools and Microsoft's digital signature verification to siphon user credentials and sensitive information.
"The malware then exploits Microsoft's digital signature verification method to inject its payload into a signed system DLL to further evade the system's defenses."
Dll is not only signed by Microsoft with a valid signature, but also that the file, originally an app resolver module, has been tweaked and injected with a malicious script to load the final-stage malware.
This is made possible by exploiting a known issue tracked as CVE-2013-3900 - a WinVerifyTrust signature validation vulnerability - that allows remote attackers to execute arbitrary code via specially crafted portable executables by appending the malicious code snippet while still maintaining the validity of the file signature.
Although Microsoft addressed the bug in 2013, the company revised its plans in July 2014 to no longer "Enforce the stricter verification behavior as a default functionality on supported releases of Microsoft Windows" and made it available as an opt-in feature.
"It seems like the ZLoader campaign authors put great effort into defense evasion and are still updating their methods on a weekly basis," Check Point malware researcher, Kobi Eisenkraft, said, urging users to refrain from installing software from unknown sources and apply Microsoft's strict Windows Authenticode signature verification for executable files.
News URL
https://thehackernews.com/2022/01/new-zloader-banking-malware-campaign.html
Related news
- Astaroth Banking Malware Resurfaces in Brazil via Spear-Phishing Attack (source)
- New Grandoreiro Banking Malware Variants Emerge with Advanced Tactics to Evade Detection (source)
- New FakeCall Malware Variant Hijacks Android Devices for Fraudulent Banking Calls (source)
- New Android Banking Malware 'ToxicPanda' Targets Users with Fraudulent Money Transfers (source)
- VEILDrive Attack Exploits Microsoft Services to Evade Detection and Distribute Malware (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2013-12-11 | CVE-2013-3900 | Improper Verification of Cryptographic Signature vulnerability in Microsoft products Why is Microsoft republishing a CVE from 2013? We are republishing CVE-2013-3900 in the Security Update Guide to update the Security Updates table and to inform customers that the EnableCertPaddingCheck is available in all currently supported versions of Windows 10 and Windows 11. | 8.8 |