CIGslip Attack Bypasses Windows Code Integrity Guard (Expect CIGslip in banking trojans and adware)

LASER_oneXM

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Feb 4, 2016
2,520
Malware authors can exploit a flaw in the Windows Code Integrity Guard (CIG) security mechanism to inject malicious, unsigned code into CIG-protected applications, considered to be immune to such attacks.

The technique —named CIGslip— impacts Microsoft's Code Integrity Guard (CIG), a security system that Microsoft first introduced in 2015 with the launch of Windows 10.

CIG was part of Device Guard, and Microsoft used this mechanism to prevent tampering of OS drivers loaded in Windows 10. Following its launch, Microsoft expanded CIG to Microsoft Edge [1, 2], and later also allowed software developers to deploy CIG with their own applications.

An application coded to support CIG will only load code (DLLs, binaries) that are signed with a Microsoft or Windows Store certificate.

CIG's main benefit is that even if a user's computer is infected, malware won't be able to inject malicious code into CIG-protected apps. For example, a banking trojan won't be able to load the code necessary to show phishing pages inside Edge, a CIG-protected app.
Click to expand...


CIGslip attack bypasses Code Integrity Guard protections
But MorphiSec security researchers revealed today that there is a way to bypass CIG checks by placing the malicious code inside a non-CIG process and injecting it into a CIG-protected app from there.

The technical details of the CIGslip attack are detailed in more depth in MorphiSec's CIGslip report. A video demo is available here.
Click to expand...
Expect CIGslip in banking trojans and adware

Michael Gorelik, Morphisec CTO and VP of R&D, says CIGslip has "serious destructive potential if becomes popular."

Banking trojans are probably the first place someone could expect to see CIGslip, but the attack is just as useful for adware developers, always looking for new ways to overlay ads on top of legitimate sites.

But Gorelik argues that the technique could also be abused by legitimate security vendors as well. The reason is that for an antivirus to check browser-based malware, they need to go through a lengthy technical and legal process and have Microsoft sign the AV's DLLs. CIGslip also allows shady antivirus makers a way around this lengthy and cumbersome process.
Click to expand...
 
  • Like
Reactions: harlan4096
You must log in or register to reply here.

Similar threads

silversurfer
    • Like
    • +Reputation
Security News New Variant of DLL Search Order Hijacking Bypasses Windows 10 and 11 Protections
Replies
5
Views
1,936
Security News
NoVirusThanks
NoVirusThanks
silversurfer
    • Like
    • +Reputation
MULTI#STORM Campaign Targets India and U.S. with Remote Access Trojans
Replies
0
Views
888
News Archive
silversurfer
silversurfer
SeriousHoax
    • Like
    • +Reputation
    • Applause
Microsoft is busy rewriting core Windows code in memory-safe Rust
Replies
2
Views
630
News Archive
kylprq
K

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top