The much used malware ZLoader appears in all forms of criminal hacking, from attempts to steal bank passwords and other sensitive data to ransomware attacks. Now, a ZLoader campaign that began in November has infected nearly 2,200 victims in 111 countries by abusing a Windows bug that Microsoft corrected back in 2013.
Hackers have long used a variety of tactics to sneak Zloader past malware detection tools. In this case, according to researchers at security firm Check Point, the attackers exploited a loophole in Microsoft’s signature verification, the integrity check, to ensure that a file is legitimate and credible. First, they would trick the victims into installing a legitimate IT remote control tool called Atera to gain access and device control; that part is not very surprising or new. From there, however, hackers still had to install ZLoader without Windows Defender or another malware scanner detecting or blocking it.
It was here that the nearly decade-old mistake came in handy. Attackers could modify a legitimate “Dynamic-link library” file – a common file shared between multiple pieces of software to load code – to plant their malware. The target DLL file is digitally signed by Microsoft, proving its authenticity. But attackers were able to inadvertently add a malicious script to the file without affecting Microsoft’s approval stamp.
“When you see a file as a signed DLL, you’re pretty sure you can trust it, but it shows that’s not always the case,” said Kobi Eisenkraft, a malware researcher at Check Point. . “I think we will see more of this method of attack.”
Microsoft calls its code signing process “Authenticode”. It released a fix in 2013 that made Authenticode’s signature verification more stringent to mark files that had been subtly manipulated in this way. Originally, the patch was to be pushed to all Windows users, but in July 2014, Microsoft revised its plan, making the update optional.
“As we worked with customers to adapt to this change, we decided that the impact on existing software could be high,” the company wrote in 2014, meaning the fix caused false positives in which legitimate files were marked as potentially malicious. “Therefore, Microsoft no longer plans to enforce the stricter verification behavior as a standard requirement. However, the underlying functionality for stricter verification remains in place and can be activated at the customer’s discretion.”
In a statement Wednesday, Microsoft stressed that users can protect themselves with the fix they released in 2013. And the company noted that as Check Point researchers observed in the ZLoader campaign, the vulnerability can only be exploited if a device has already been compromised or attackers trick direct victims into running one of the manipulated files that appear to be signed. “Customers who apply the update and enable the configuration specified in the security release will be protected,” a Microsoft spokesman told WIRED.
But even though the fix is out there, and has been so all this time, many Windows devices probably do not have it enabled, as users and system administrators would need to know about the patch and then choose to configure it. Microsoft noted in 2013 that the vulnerability was actively exploited by hackers in “targeted attacks.”