widely used The ZLoader malware appears in all types of criminal hacking, from efforts aimed at stealing bank passwords and other sensitive data to ransomware attacks. Now, the ZLoader campaign that began in November has infected nearly 2,200 victims in 111 countries by abusing a Windows flaw that Microsoft fixed in 2013.
Hackers have long used a variety of tactics to infiltrate Zloader’s previous malware detection tools. In this case, according to researchers at security firm Check Point, the attackers exploited a gap in Microsoft’s signature validation, integrity checks to ensure the file is legitimate and trustworthy. First, they trick victims into installing a legitimate remote IT management tool called Atera to access and control the device; This part is not surprising or new. From there, though, hackers still need to install ZLoader without Windows Defender or another malware scanner that detects or blocks it.
This is where the nearly decade-old bug came in handy. Attackers can modify a legitimate Dynamic Link Library file – a common file shared between multiple pieces of software to load code – to implant their malware. The target DLL file has been digitally signed by Microsoft, which proves its reliability. But the attackers were able to indistinctly attach malicious text to the file without affecting Microsoft’s approval.
“When you see a file like a DLL that is signed, you’re pretty sure you can trust it, but it shows that’s not always the case,” says Kobi Eisenkraft, a Check Point malware researcher. “I think we’ll see more of this method of attack.”
Microsoft calls the token signing process an “authentication token.” It released a fix in 2013 that made auth token signature verification stricter, to indicate files that had been subtly tampered with in this way. Originally, the patch was to be pushed out to all Windows users, but in July 2014, Microsoft revised its plan, making the update optional.
“As we work with customers to adapt to this change, we have determined that the impact on existing software could be significant,” the company wrote in 2014, meaning that the fix caused false positives as legitimate files were flagged as potentially harmful. “Therefore, Microsoft no longer plans to enforce stricter verification behavior as a default requirement. The basic functionality of stricter verification remains in place, however, and can be enabled at the customer’s discretion.”
Microsoft confirmed in a statement on Wednesday that users can protect themselves with a fix the company released in 2013. The company noted that, as Check Point researchers noted in the ZLoader campaign, the vulnerability can only be exploited if the device has already been rooted. It has been hacked or attackers directly trick victims into running one of the tampered files that appears to be signed. “Customers who apply the update and enable the configuration indicated in the security advisory will be protected,” a Microsoft spokesperson told WIRED.
But while the fix is there, and has been around this whole time, it’s possible that many Windows machines aren’t enabled, since users and system administrators will need to know about the patch and then choose to set it up. Microsoft indicated in 2013 that hackers are actively exploiting the vulnerability for “targeted attacks”.