How the Hackers Tried Exploiting a Flaw that Microsoft Fixed 9 Years Ago

For over a decade, hackers have long tried a various tactics to get Zloader past anti-malware software. Read on to know more about it…

ZLoader is a widely used malware that appears in a various malicious hacking attempts, ranging from attempts to steal banking passwords and other sensitive data to ransomware attacks. By exploiting a Windows flaw that Microsoft fixed in 2013, a ZLoader campaign that began in November has infected nearly 2,200 individuals in 111 countries.

Hackers have long tried a various tactics to get Zloader past anti-malware software. According to researchers at security firm Check Point, the attackers took advantage of a flaw in Microsoft’s signature verification, the integrity check which ensures that a file is legitimate and trustworthy. To gain access and device control, the attackers first trick victims into installing Atera, a legit remote IT management tool. However, the hackers still need to install ZLoader without it being detected or blocked by Windows Defender or another malware scanner.

Microsoft’s Decade Old Flaw
For the attackers, the decade old flaw of Microsoft came in handy at this point. Attackers could change a legit “Dynamic-link library” file which is a common file used by various pieces of software to load code to plant their malware. Microsoft has digitally signed the target DLL file, ensuring its legitimacy. However, attackers were able to add a malicious script to the file invisibly, bypassing Microsoft’s approval process.

Kobi Eisenkraft, a Malware Researcher at Check Point, said “When you see a file like a DLL that’s signed you’re pretty sure that you can trust it, but this shows that’s not always the case,”

“I think we will see more of this method of attack.”

The code-signing process of Microsoft is known as “Authenticode”.

In 2013, Microsoft issued a patch that tightened Authenticode’s signature verification, allowing it to flag files that had been tampered with in this way. The fix was supposed to be rolled out to all Windows users, but Microsoft changed its plan in July 2014 and decided to make the update optional.

“As we worked with customers to adapt to this change, we determined that the impact to existing software could be high,” Microsoft wrote in 2014, meaning that the fix was causing false positives where legitimate files were flagged as potentially malicious. “Therefore, Microsoft no longer plans to enforce the stricter verification behavior as a default requirement. The underlying functionality for stricter verification remains in place, however, and can be enabled at customer discretion.”

While the security fix existed for some time, several Windows devices are unlikely to have it enabled because users and system administrators would need to be aware of the patch and then choose to install it. Hackers were actively exploiting the vulnerability in “targeted attacks,” according to Microsoft in 2013.

Eisenkraft saod that “We have a fix, but nobody uses it,”

“As a result, a lot of malware would be able to get into companies and personal computers using this method.”

The victims of the latest ZLoader attacks were mostly from the United States, Canada, and India. Malicious word processing documents, tainted websites, and malicious advertising to distribute the malware have all been employed in recent ZLoader attacks by various attackers.

The Check Point researchers believe this recent campaign was carried out by the prolific criminal hackers known as MalSmoke, because the malicious group has a history of using similar approaches and the Check Point researchers noticed some infrastructure links between this campaign and previous MalSmoke hacking.

MalSmoke has a history of focusing on malvertising, including hijacking adverts on adult websites and services. In the past campaigns, the malicious group has used ZLoader as well as other malware, such as the popular malicious downloader “Smoke Loader.”

A Brief Conclusion
Vulnerabilities in software can exist for years, but when they’re identified, they usually signify they’re present in a large number of devices. It’s also very uncommon for some gadgets, particularly IoT devices, to remain unpatched even after a fix for a specific vulnerability is available. However, this campaign presents a tough scenario to fight against: a vulnerability with a fix that is so obscure that few people are aware of it.

Related posts

Linux Foundation Announces Launch of LF India to Expand Global Open Source Support and Innovation

Iris Global Partners with Exatron

TCS launches 2025 cybersecurity outlook; GenAI, cloud security, and ‘Zero Trust’ remain key priorities for enterprises

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Read More