Security researchers are observing a new campaign in which attackers abuse the Microsoft e-signature verification to deploy Zloader, a banking malware designed to steal user credentials and private information.

This campaign was spotted in early November 2021, according to the Check Point Research team, which disclosed their findings today. As of Jan. 2, they said, 2,170 unique victim IPs around the world had downloaded the malicious DLL file. Most victims are located in the United States (864), Canada (305), and India (140). About one-third of these are businesses, a small amount are related to education and government, and the remainder are individuals.

Zloader is not a new form of malware; these campaigns have previously been seen in the wild in several forms. Earlier Zloader campaigns, seen in 2020, used malicious files, adult websites, and Google ads to attack target systems, the researchers said.

Here, the attack operators seem especially focused on evasion techniques. They use legitimate remote management software (RMM) to gain initial access to target machines and add code to a file's signature while still maintaining the signature's validity, then run it using mshta.exe.

"The new and most interesting thing, from my point of view, is that this is the first time we notice [a] Zloader campaign exploit Microsoft's digital signature verification method to inject its payload into a signed system DLL to further evade the system's defenses," explains Kobi Eisenkraft, malware researcher at Check Point. "This evidence shows that the Zloader campaign authors put great effort into defense evasion."

An infection begins with installing Atera software on a target machine. Atera is legitimate enterprise RMM software that can install an agent and assign the endpoint to a particular account with an .msi file that includes the owner's email address. The attackers did this with a temporary email address, and the downloadable file is disguised as a Java installation — a method seen in earlier Zloader campaigns.

Eisenkraft says the team is unsure how attackers deploy Atera onto victim devices in this campaign; however, in earlier Zloader campaigns, the operators lured victims by playing part of an adult film. After a few seconds, the video stopped and a message would say their Java needed to be updated. They were prompted to download a "Java" installation, which was a trial version of Atera that enabled attackers to send files to the machine and run them, he explains.

After the software is on the machine, the attacker uploads and runs two .bat files onto the device using the "Run Script" function. One is used to modify Windows Defender preferences, and the other is used to load the rest of the malware. In this stage, scripts add exclusions to Windows Defender and disable tools that could be used for detection and investigation.

The script then runs mshta[.]exe with appContast[.]dll as the parameter. Researchers noticed this file was signed by Microsoft with a valid signature, and by comparing the two files, they saw attackers had added a script to the file for the malicious DLL.

"These simple modifications to a signed file maintain the signature's validity, yet enables us to append data to the signature section of a file," the Check Point team explained in a technical writeup of the findings. In this campaign, the added information let the attackers download and run the Zloader payload.

This is the result of a security gap mentioned in CVE-2020-1599, CVE-2013-3900, and CVE-2012-0151, they noted.

Microsoft addressed the signature verification problem in a 2013 Security Bulletin and pushed a fix. However, it said after implementing that they "determined that impact to existing software could be high." In July 2014, they swapped the stricter file verification for an opt-in update, the team wrote. Unless someone manually installed the patch, they weren't protected. Many security vendors will let the malicious signed file to run because it has a valid digital signature from Microsoft, Eisenkraft explains.

Malsmoke
Eisenkraft says it doesn't seem like the attackers were after any specific types of data; mostly passwords and sensitive information was compromised.

Check Point attributes the November campaign to Malsmoke. This is the first time researchers have seen the group abusing Microsoft digital signatures, says Eisenkraft, but they noticed similarities to earlier Malsmoke campaigns. Its previous attacks were known to disguise malware as Java plug-ins, which they say is happening in this case. 

There is also a connection between the registrar information for the domain teamworks455[.]com, where the current campaign files are hosted, and another domain linked to a separate 2020 Malsmoke campaign.