Security News > 2022 > January > New Zloader Banking Malware Campaign Exploiting Microsoft Signature Verification

An ongoing ZLoader malware campaign has been uncovered exploiting remote monitoring tools and Microsoft's digital signature verification to siphon user credentials and sensitive information.

"The malware then exploits Microsoft's digital signature verification method to inject its payload into a signed system DLL to further evade the system's defenses."

Dll is not only signed by Microsoft with a valid signature, but also that the file, originally an app resolver module, has been tweaked and injected with a malicious script to load the final-stage malware.

This is made possible by exploiting a known issue tracked as CVE-2013-3900 - a WinVerifyTrust signature validation vulnerability - that allows remote attackers to execute arbitrary code via specially crafted portable executables by appending the malicious code snippet while still maintaining the validity of the file signature.

Although Microsoft addressed the bug in 2013, the company revised its plans in July 2014 to no longer "Enforce the stricter verification behavior as a default functionality on supported releases of Microsoft Windows" and made it available as an opt-in feature.

"It seems like the ZLoader campaign authors put great effort into defense evasion and are still updating their methods on a weekly basis," Check Point malware researcher, Kobi Eisenkraft, said, urging users to refrain from installing software from unknown sources and apply Microsoft's strict Windows Authenticode signature verification for executable files.

News URL

https://thehackernews.com/2022/01/new-zloader-banking-malware-campaign.html