CIGslip Attack Bypasses Windows Code Integrity Guard (Expect CIGslip in banking trojans and adware)

LASER_oneXM

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Feb 4, 2016
2,520
Malware authors can exploit a flaw in the Windows Code Integrity Guard (CIG) security mechanism to inject malicious, unsigned code into CIG-protected applications, considered to be immune to such attacks.

The technique —named CIGslip— impacts Microsoft's Code Integrity Guard (CIG), a security system that Microsoft first introduced in 2015 with the launch of Windows 10.

CIG was part of Device Guard, and Microsoft used this mechanism to prevent tampering of OS drivers loaded in Windows 10. Following its launch, Microsoft expanded CIG to Microsoft Edge [1, 2], and later also allowed software developers to deploy CIG with their own applications.

An application coded to support CIG will only load code (DLLs, binaries) that are signed with a Microsoft or Windows Store certificate.

CIG's main benefit is that even if a user's computer is infected, malware won't be able to inject malicious code into CIG-protected apps. For example, a banking trojan won't be able to load the code necessary to show phishing pages inside Edge, a CIG-protected app.
Click to expand...


CIGslip attack bypasses Code Integrity Guard protections
But MorphiSec security researchers revealed today that there is a way to bypass CIG checks by placing the malicious code inside a non-CIG process and injecting it into a CIG-protected app from there.

The technical details of the CIGslip attack are detailed in more depth in MorphiSec's CIGslip report. A video demo is available here.
Click to expand...
Expect CIGslip in banking trojans and adware

Michael Gorelik, Morphisec CTO and VP of R&D, says CIGslip has "serious destructive potential if becomes popular."

Banking trojans are probably the first place someone could expect to see CIGslip, but the attack is just as useful for adware developers, always looking for new ways to overlay ads on top of legitimate sites.

But Gorelik argues that the technique could also be abused by legitimate security vendors as well. The reason is that for an antivirus to check browser-based malware, they need to go through a lengthy technical and legal process and have Microsoft sign the AV's DLLs. CIGslip also allows shady antivirus makers a way around this lengthy and cumbersome process.
Click to expand...
 
  • Like
Reactions: harlan4096
You must log in or register to reply here.

Similar threads

Gandalf_The_Grey
    • Like
    • +Reputation
Security News New attack uses MSC files and Windows XSS flaw to breach networks
Replies
1
Views
2,933
Security News
NoVirusThanks
NoVirusThanks
silversurfer
    • Like
    • +Reputation
Deprecated Microsoft to discontinue Application Guard app and browser extensions in May 2024
Replies
4
Views
1,042
Web Extensions
Can't Decide
C
Gandalf_The_Grey
    • Wow
    • Like
    • +Reputation
Malware News Infostealer malware bypasses Chrome’s new cookie-theft defenses
Replies
0
Views
1,851
Security News
Gandalf_The_Grey
Gandalf_The_Grey

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top