Latest Zloader Campaign Abuses Microsoft Signature Verification

January 14, 2022 · 4 min read

Zloader (aka Terdot and DELoader) is raging worldwide, evading banking systems’ defenses. Not something one expects to find under their Christmas trees, especially accompanied by the calamitous Log4j Vulnerability, but these are some crazy times we live in. According to the researchers, Zloader attack routines are growing in scale and sophistication, adopting diversified techniques and evasion methods. Over the last few years, adversaries have taken up different approaches and exploits to drop Zloader malware.

Zloader Cyber-Attacks

Zloader, a banking malware designed to steal login credentials and users’ private information, is back with a new infection chain. This malware has been around for a while, originating from the ZeuS malware family known since 2006. Zloader itself first popped up in 2015, enabling adversaries to steal account credentials along with other types of sensitive data. Being the most notoriously known banking Trojan, the malware is gaining its momentum: since a leak of the ZeuS code in 2011, numerous Zloader variants have already been implemented by adversaries. Given the effectiveness of the tool, it is safe to assume that there are many more in ongoing development.

It is widely discussed that this particular cyber kill chain exploiting Microsoft e-signature was launched back in November 2021 by cyber gang MalSmoke. The brand new Zloader banking malware campaign abuses Microsoft’s digital signature verification to inject code into a signed system DLL and has already affected 2200+ users in more than 111 countries.

New Zloader Attack Kill Chain

The in-depth analysis by Check Point reveals that the latest Zloader campaign abuses the legit Atera remote monitoring and management (RMM) tool to gain a foothold on the targeted instance. Particularly, adversaries take advantage of the Atera’s ability to install an agent on the endpoint and assign it to a specific account tied to the attacker’s email address. This allows threat actors to gain full access to the system of interest, including the ability to run malicious code and upload or download files. 

While exploring the next stage of the attack, security experts have spotted two .bat files being executed by adversaries in the course of the campaign to change Windows Defender configurations and upload other pieces of the malicious code. The later one, appContast.dll, is executed with “regsvr32.exe” and injected into the “msiexec.exe” process to load the final Zloader payload from the C&C server under hackers’ control.

The campaign operators have put a lot of effort to boost the evasive capabilities while granting malware broad access to the targeted systems. Security experts note that several scripts are used throughout the attack to avoid detection, elevate privileges, and disable security protections while injecting the main payload to the running processes. 

Notably, the appContast.dll, a legitimate Atera library with the appended script to install Zloader. obtains a valid code signature, so the Windows OS essentially trusts it. Check Point experts believe that MalSmoke hackers leveraged the older issue in Microsoft’s signature validation process (CVE-2020-1599, CVE-2013-3900, CVE-2012-0151) revealed in 2012. Despite the bugs being fixed by the vendor with the stricter file verification policies, somehow the updates remain disabled in default configs. 

Detecting Latest Zloader Campaign

To strengthen your defenses against Zloader and detect possible attacks against your infrastructure, you can download a free Sigma rule available in the SOC Prime’s Detection as Code platform.

New Zloader Banking Malware Campaign Exploiting Microsoft Signature Verification (via registry_event)

This detection has translations for the following SIEM, EDR & XDR platforms: Microsoft Sentinel, Elastic Stack, Splunk, Humio, Sumo Logic, ArcSight, QRadar, FireEye, LogPoint, Graylog, Regex Grep, Microsoft PowerShell, RSA NetWitness, Chronicle Security, LimaCharlie, SentinelOne, Microsoft Defender ATP, CrowdStrike, Apache Kafka ksqlDB, Carbon Black, Sysmon, Qualys, Securonix, and Open Distro.

The rule is aligned with the latest MITRE ATT&CK® framework v.10, addressing the Defense Evasion tactic with Modify Registry as the main technique (T1112).

The full list of detections available in the Threat Detection Marketplace repository of the SOC Prime platform is available here

Join SOC Prime, the world’s first platform for collaborative cyber defense, threat hunting and discovery that integrates with 20+ SIEM and XDR platforms. Instantly hunt for the latest threats, automate threat investigation, and get feedback and vetting by 20,000+ community of security professionals to boost your security operations. Are you a content author? Tap into the power of the world’s largest cyber defense community by joining the SOC Prime Threat Bounty program, where researchers can monetize their own detection content.

Go to Platform Join Threat Bounty

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts