Microsoft code-sign check bypassed to drop Zloader malware

Gandalf_The_Grey

Level 61
Thread author
Verified
Helper
Top poster
Content Creator
Well-known
Apr 24, 2016
5,032
A new Zloader campaign exploits Microsoft's digital signature verification to deploy malware payloads and steal user credentials from thousands of victims from 111 countries.

The campaign orchestrated by a threat group known as MalSmoke appears to have started in November 2021, and it's still going strong, according to Check Point researchers who have spotted it.

Zloader (aka Terdot and DELoader) is a banking malware first spotted back in 2015 that can steal account credentials and various types of sensitive private information from infiltrated systems.

More recently, Zloader has been used to drop further payloads on infected devices, including ransomware payloads such as Ryuk and Egregor,

MalSmoke has explored various ways of distributing the info-stealing malware, ranging from spam mail and malvertising to using adult content lures.
 
Last edited by a moderator:

Andy Ful

Level 81
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
7,003
This attack includes a very interesting element. One of the DLLs is a modified legal DLL signed by Microsoft. Any digitally signed file can be slightly modified without breaking the certificate. The added code is inactive, so if the modified DLL is executed as a DLL library, then the added code is not executed. Such a method can be only used as a container to hide the malicious code.
In the case of this attack, the modified DLL is executed as the HTA script by the Mshta LOLBin (the script can have any file extension). In this way, the malicious script hidden in the DLL is run by the Mshta interpreter.
(y)
 
Last edited:

Vitali Ortzi

Level 22
Verified
Top poster
Well-known
Dec 12, 2016
1,114
This attack includes a very interesting element. One of the DLLs is a modified legal DLL signed by Microsoft. Any digitally signed file can be slightly modified without breaking the certificate. The added code is inactive, so if the modified DLL is executed as a DLL library, then the added code is not executed. Such a method can be only used as a container to hide the malicious code.
In the case of this attack, the modified DLL is executed as the HTA script by the Mshta LOLBin (the script can have any file extension). In this way, the malicious script hidden in the DLL is run by the Mshta interpreter.
(y)
Haven’t known this was even possible any white papers of such a dll modification ?
 

Vitali Ortzi

Level 22
Verified
Top poster
Well-known
Dec 12, 2016
1,114
Would this stop this?

Added to Userspace = YES in Appguard? I have had this LOLBin added to Appguard for years.

c:\Windows\*\mshta.exe
this vulnerability in microsoft authenticode is old

see image 12:


the threat actors appended a vbs script to the end of the dll, and using mshta.exe to call the appContact.dll, only the vbs script is loaded

"This gap is apparently a known issue mentioned in the following CVEs: CVE-2020-1599, CVE-2013-3900, and CVE-2012-0151. Microsoft addressed the issue in 2013 with a Security Bulletin and pushed a fix."
Thanks a lot !
 
  • Like
Reactions: keagga

Andy Ful

Level 81
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
7,003
Haven’t known this was even possible any white papers of such a dll modification ?
Another method is injecting shellcode into a PE file's [WIN_CERTIFICATE] certificate table. The digital signature is not broken but the file hashes are changed (except the AuthentiHash). This possibility follows directly from the Authenticode details:

Normally, one has to use also a kind of loader that can read/execute the shellcode embedded in the PE file. The method from the OP is simpler because it uses Mshta LOLBin as a loader.
 
Last edited: