New Zloader attacks thwarting Microsoft signature checks

Cybercriminals are using valid Microsoft signatures to avoid detection by security software.

Researchers with Check Point Software Technologies reported Wednesday the Zloader banking Trojan is using a new script that allows it to covertly infect PCs and install remote logging and access malware. While the group has been active since at least 2020, a new trick Zloader operators are using caught the eye of security researchers.

Members of the Check Point team found Zloader's .exe now makes use of DLL files that have valid Microsoft signatures. The .exe itself is pushed to the user by way of social engineering or through the use of legitimate remote management tools such as Atera. 

Once loaded, the libraries then run embedded attack scripts that seek to reach a command and control server that then pushes further downloads. By containing the valid signature, the files are less likely to alert security software such as Microsoft Defender.

The team found that the malware writers had taken legitimate, signed libraries and manipulated key portions of code in such a way as to allow for injection of the attack scripts without altering the signature. The technique takes advantage of older vulnerabilities in Microsoft's signature verification technology that, if unpatched, allow threat actors to bypass the signature checks.

"These simple modifications to a signed file maintain the signature's validity, yet enables us to append data to the signature section of a file," the researchers explained. "As we can't run compiled code from the signature section of a file, placing a script written in VBscript or JavaScript and running the file using mshta.exe is an easy solution that could evade some EDRs [endpoint detection and response]."

The tampering vulnerabilities have been known of for years and were addressed by Microsoft in 2013, but the security update was later made an opt-in feature due to the potential for compatibility issues. Check Point estimated that 2,170 unique IP addresses had run the infected DLL file.

Check Point lead researcher Kobi Eisenkraft told SearchSecurity that administrators looking to protect their networks from potential attacks should not only install the Microsoft update and registry key changes from Microsoft, but should also make sure their systems are up to date with all security patches.

"We recommend that users apply Microsoft's update for strict Authenticode verification," Eisenkraft said. "In addition, administrators should stay on top of the latest software updates and patches on the systems they use."

Check Point also urged software vendors to take action.

"To mitigate the issue, all vendors should conform to the new Authenticode specifications to have these settings as default, instead of an opt-in update," the report stated. "Until that happens, we can never be sure if we can truly trust a file's signature."