The widely used malware ZLoader crops up in all sorts of criminal hacking, from efforts that aim to steal banking passwords and other sensitive data to ransomware attacks. Now, a ZLoader campaign that began in November has infected almost 2,200 victims in 111 countries by abusing a Windows flaw that Microsoft fixed back in 2013.
Hackers have long used a variety of tactics to sneak Zloader past malware detection tools. In this case, according to researchers at security firm Check Point, the attackers took advantage of a gap in Microsoft’s signature verification, the integrity check for ensuring that a file is legitimate and trustworthy. First, they’d trick victims into installing a legitimate remote IT management tool called Atera to gain access and device control; that part’s not particularly surprising or novel. From there, though, the hackers still needed to install ZLoader without Windows Defender or another malware scanner detecting or blocking it.
This is where the nearly decade-old flaw came in handy. Attackers could modify a legitimate “Dynamic-link library” file—a common file shared between multiple pieces of software to load code—to plant their malware. The target DLL file is digitally signed by Microsoft, which proves its authenticity. But attackers were able to inconspicuously append a malicious script to the file without impacting Microsoft’s stamp of approval.
“When you see a file like a DLL that’s signed you’re pretty sure that you can trust it, but this shows that’s not always the case,” says Kobi Eisenkraft, a malware researcher at Check Point. “I think we will see more of this method of attack.”
Microsoft calls its code-signing process “Authenticode.” It released a fix in 2013 that made Authenticode’s signature verification stricter, to flag files that had been subtly manipulated in this way. Originally the patch was going to be pushed to all Windows users, but in July 2014 Microsoft revised its plan, making the update optional.
“As we worked with customers to adapt to this change, we determined that the impact to existing software could be high,” the company wrote in 2014, meaning that the fix was causing false positives where legitimate files were flagged as potentially malicious. “Therefore, Microsoft no longer plans to enforce the stricter verification behavior as a default requirement. The underlying functionality for stricter verification remains in place, however, and can be enabled at customer discretion.”
In a statement on Wednesday, Microsoft emphasized that users can protect themselves with the fix the company released in 2013. And the company noted that, as the Check Point researchers observed in the ZLoader campaign, the vulnerability can only be exploited if a device has already been compromised or attackers directly trick victims into running one of the manipulated files that appears to be signed. “Customers who apply the update and enable the configuration indicated in the security advisory will be protected,” a Microsoft spokesperson told WIRED.
But while the fix is out there, and has been for all this time, many Windows devices likely don’t have it enabled, since users and system administrators would need to know about the patch and then choose to set it up. Microsoft noted in 2013 that the vulnerability was being actively exploited by hackers in “targeted attacks.”