THE WIDELY USED malware ZLoader crops up in all sorts of criminal hacking, from efforts that aim to steal banking passwords and other sensitive data to ransomware attacks. Now, a ZLoader campaign that began in November has infected almost 2,200 victims in 111 countries by abusing a Windows flaw that Microsoft fixed back in 2013.
Hackers have long used a variety of tactics to sneak Zloader past malware detection tools. In this case, according to researchers at security firm Check Point, the attackers took advantage of a gap in Microsoft’s signature verification, the integrity check for ensuring that a file is legitimate and trustworthy. First, they'd trick victims into installing a legitimate remote IT management tool called Atera to gain access and device control; that part's not particularly surprising or novel. From there, though, the hackers still needed to install ZLoader without Windows Defender or another malware scanner detecting or blocking it.
This is where the nearly decade-old flaw came in handy. Attackers could modify a legitimate “Dynamic-link library” file—a common file shared between multiple pieces of software to load code—to plant their malware. The target DLL file is digitally signed by Microsoft, which proves its authenticity. But attackers were able to inconspicuously append a malicious script to the file without impacting Microsoft's stamp of approval.
“When you see a file like a DLL that's signed you’re pretty sure that you can trust it, but this shows that's not always the case,” says Kobi Eisenkraft, a malware researcher at Check Point. “I think we will see more of this method of attack.”
Microsoft calls its code-signing process “Authenticode.” It released a fix in 2013 that made Authenticode's signature verification stricter, to flag files that had been subtly manipulated in this way. Originally the patch was going to be pushed to all Windows users, but in July 2014 Microsoft revised its plan, making the update optional.
“As we worked with customers to adapt to this change, we determined that the impact to existing software could be high,” the company wrote in 2014, meaning that the fix was causing false positives where legitimate files were flagged as potentially malicious. “Therefore, Microsoft no longer plans to enforce the stricter verification behavior as a default requirement. The underlying functionality for stricter verification remains in place, however, and can be enabled at customer discretion.”
In a statement on Wednesday, Microsoft emphasized that users can protect themselves with the fix the company released in 2013. And the company noted that, as the Check Point researchers observed in the ZLoader campaign, the vulnerability can only be exploited if a device has already been compromised or attackers directly trick victims into running one of the manipulated files that appears to be signed. “Customers who apply the update and enable the configuration indicated in the security advisory will be protected,” a Microsoft spokesperson told WIRED.
But while the fix is out there, and has been for all this time, many Windows devices likely don't have it enabled, since users and system administrators would need to know about the patch and then choose to set it up. Microsoft noted in 2013 that the vulnerability was being actively exploited by hackers in “targeted attacks.”
“We have a fix, but nobody uses it,” Eisenkraft says. “As a result, a lot of malware would be able to get into companies and personal computers using this method.”
The recent ZLoader attacks primarily targeted victims in the United States, Canada, and India. Other recent ZLoader attacks from an array of actors have used malicious word processing documents, tainted websites, and malicious ads to distribute the malware.
The Check Point researchers believe that this latest campaign was perpetrated by the prolific criminal hackers known as MalSmoke, because the group has a history of using similar techniques and the researchers saw some infrastructure links between this campaign and past MalSmoke hacking. MalSmoke has often had a particular focus on malvertising, particularly hijacking ads on sites and services that distribute porn and other adult content. The group has used ZLoader in past campaigns as well as other malware including the popular malicious downloader called “Smoke Loader.”
It’s not unheard of for vulnerabilities to persist in software for many years, but when those flaws are discovered their longevity typically means that they're lurking in a large number of devices. It's also not unusual for some gadgets, particularly internet of things devices, to go unpatched even when a fix for a particular vulnerability is available. But this campaign represents a difficult scenario to defend against: a vulnerability with a fix so obscure that few would even know to apply it.