Security News > 2022 > January > New Zloader Banking Malware Campaign Exploiting Microsoft Signature Verification

New Zloader Banking Malware Campaign Exploiting Microsoft Signature Verification
2022-01-05 20:18

An ongoing ZLoader malware campaign has been uncovered exploiting remote monitoring tools and Microsoft's digital signature verification to siphon user credentials and sensitive information.

"The malware then exploits Microsoft's digital signature verification method to inject its payload into a signed system DLL to further evade the system's defenses."

Dll is not only signed by Microsoft with a valid signature, but also that the file, originally an app resolver module, has been tweaked and injected with a malicious script to load the final-stage malware.

This is made possible by exploiting a known issue tracked as CVE-2013-3900 - a WinVerifyTrust signature validation vulnerability - that allows remote attackers to execute arbitrary code via specially crafted portable executables by appending the malicious code snippet while still maintaining the validity of the file signature.

Although Microsoft addressed the bug in 2013, the company revised its plans in July 2014 to no longer "Enforce the stricter verification behavior as a default functionality on supported releases of Microsoft Windows" and made it available as an opt-in feature.

"It seems like the ZLoader campaign authors put great effort into defense evasion and are still updating their methods on a weekly basis," Check Point malware researcher, Kobi Eisenkraft, said, urging users to refrain from installing software from unknown sources and apply Microsoft's strict Windows Authenticode signature verification for executable files.


News URL

https://thehackernews.com/2022/01/new-zloader-banking-malware-campaign.html

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2013-12-11 CVE-2013-3900 Improper Verification of Cryptographic Signature vulnerability in Microsoft products
Why is Microsoft republishing a CVE from 2013? We are republishing CVE-2013-3900 in the Security Update Guide to update the Security Updates table and to inform customers that the EnableCertPaddingCheck is available in all currently supported versions of Windows 10 and Windows 11.
network
low complexity
microsoft CWE-347
8.8

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Microsoft 365 50 1369 2820 161 4400