Security News > 2022 > January > New Zloader Banking Malware Campaign Exploiting Microsoft Signature Verification
An ongoing ZLoader malware campaign has been uncovered exploiting remote monitoring tools and Microsoft's digital signature verification to siphon user credentials and sensitive information.
"The malware then exploits Microsoft's digital signature verification method to inject its payload into a signed system DLL to further evade the system's defenses."
Dll is not only signed by Microsoft with a valid signature, but also that the file, originally an app resolver module, has been tweaked and injected with a malicious script to load the final-stage malware.
This is made possible by exploiting a known issue tracked as CVE-2013-3900 - a WinVerifyTrust signature validation vulnerability - that allows remote attackers to execute arbitrary code via specially crafted portable executables by appending the malicious code snippet while still maintaining the validity of the file signature.
Although Microsoft addressed the bug in 2013, the company revised its plans in July 2014 to no longer "Enforce the stricter verification behavior as a default functionality on supported releases of Microsoft Windows" and made it available as an opt-in feature.
"It seems like the ZLoader campaign authors put great effort into defense evasion and are still updating their methods on a weekly basis," Check Point malware researcher, Kobi Eisenkraft, said, urging users to refrain from installing software from unknown sources and apply Microsoft's strict Windows Authenticode signature verification for executable files.
News URL
https://thehackernews.com/2022/01/new-zloader-banking-malware-campaign.html
Related news
- DarkGate Malware Exploited Recently Patched Microsoft Flaw in Zero-Day Attack (source)
- Vultur banking malware for Android poses as McAfee Security app (source)
- Microsoft fixes two Windows zero-days exploited in malware attacks (source)
- GitHub comments abused to push malware via Microsoft repo URLs (source)
- New Latrodectus malware attacks use Microsoft, Cloudflare themes (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2013-12-11 | CVE-2013-3900 | Improper Input Validation vulnerability in Microsoft products The WinVerifyTrust function in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 does not properly validate PE file digests during Authenticode signature verification, which allows remote attackers to execute arbitrary code via a crafted PE file, aka "WinVerifyTrust Signature Validation Vulnerability." | 0.0 |