Gandalf_The_Grey
Level 83
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
- Apr 24, 2016
- 7,232
Last edited by a moderator:
Microsoft code-sign check bypassed to drop Zloader malware
- Thread starter Gandalf_The_Grey
- Start date
- Dec 23, 2014
- 8,481
This attack includes a very interesting element. One of the DLLs is a modified legal DLL signed by Microsoft. Any digitally signed file can be slightly modified without breaking the certificate. The added code is inactive, so if the modified DLL is executed as a DLL library, then the added code is not executed. Such a method can be only used as a container to hide the malicious code.
In the case of this attack, the modified DLL is executed as the HTA script by the Mshta LOLBin (the script can have any file extension). In this way, the malicious script hidden in the DLL is run by the Mshta interpreter.
In the case of this attack, the modified DLL is executed as the HTA script by the Mshta LOLBin (the script can have any file extension). In this way, the malicious script hidden in the DLL is run by the Mshta interpreter.
Last edited:
- Jun 23, 2018
- 441
I'm doing the same on Windows 10, no problems noted so far.
- Dec 12, 2016
- 1,319
Haven’t known this was even possible any white papers of such a dll modification ?This attack includes a very interesting element. One of the DLLs is a modified legal DLL signed by Microsoft. Any digitally signed file can be slightly modified without breaking the certificate. The added code is inactive, so if the modified DLL is executed as a DLL library, then the added code is not executed. Such a method can be only used as a container to hide the malicious code.
In the case of this attack, the modified DLL is executed as the HTA script by the Mshta LOLBin (the script can have any file extension). In this way, the malicious script hidden in the DLL is run by the Mshta interpreter.
Would this stop this?
Added to Userspace = YES in Appguard? I have had this LOLBin added to Appguard for years.
c:\Windows\*\mshta.exe
Guess they are getting bored with using Powershell?
Added to Userspace = YES in Appguard? I have had this LOLBin added to Appguard for years.
c:\Windows\*\mshta.exe
Guess they are getting bored with using Powershell?
Last edited by a moderator:
- Dec 12, 2016
- 1,319
Thanks a lot !this vulnerability in microsoft authenticode is old
see image 12:
Can You Trust a File’s Digital Signature? New Zloader Campaign exploits Microsoft’s Signature Verification putting users at risk - Check Point Research
Research by: Golan Cohen Introduction Last seen in August 2021, Zloader, a banking malware designed to steal user credentials and private information, is back with a simple yet sophisticated infection chain. Previous Zloader campaigns, which were seen in 2020, used malicious documents, adult...research.checkpoint.com
the threat actors appended a vbs script to the end of the dll, and using mshta.exe to call the appContact.dll, only the vbs script is loaded
"This gap is apparently a known issue mentioned in the following CVEs: CVE-2020-1599, CVE-2013-3900, and CVE-2012-0151. Microsoft addressed the issue in 2013 with a Security Bulletin and pushed a fix."
- Dec 23, 2014
- 8,481
Another method is injecting shellcode into a PE file's [WIN_CERTIFICATE] certificate table. The digital signature is not broken but the file hashes are changed (except the AuthentiHash). This possibility follows directly from the Authenticode details:
Normally, one has to use also a kind of loader that can read/execute the shellcode embedded in the PE file. The method from the OP is simpler because it uses Mshta LOLBin as a loader.
Last edited:
Similar threads
