fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Microsoft Code-Sign Check Bypassed to Drop Zloader Malware

Microsoft Code-Sign Check Bypassed to Drop Zloader Malware

A new Zloader campaign exploits Microsoft’s digital signature verification to deploy malware payloads and steal user credentials from thousands of victims from 111 countries.

The campaign orchestrated by a threat group known as MalSmoke appears to have started in November 2021, and it’s still going strong, according to Check Point researchers who have spotted it.

Zloader (aka Terdot and DELoader) is a banking malware first spotted back in 2015 that can steal account credentials and various types of sensitive private information from infiltrated systems.

More recently, Zloader has been used to drop further payloads on infected devices, including ransomware payloads such as Ryuk and Egregor,

Also Read: Best Privacy Certification: 3 Simple Steps On How To Achieve

MalSmoke has explored various ways of distributing the info-stealing malware, ranging from spam mail and malvertising to using adult content lures.

Abusing Atera remote management software

In the most recent campaign, tracked and analyzed by researchers at Check Point, the infection begins with delivering a “Java.msi” file that’s a modified installer of Atera.

Atera is a legitimate enterprise remote monitoring and management software widely used in the IT sector. As such, AV tools are unlikely to warn the victim, even if the installer is slightly modified.

It is unclear how the threat actors tricked the victims into downloading the malicious file, but it could be through cracks found on pirated software resources or spear-phishing emails.

Zloader later campaign infection chain
Zloader later campaign infection chain
Source: Check Point

Upon execution, Atera creates an agent and assigns the endpoint to an email address under the threat actor’s control.

The attackers then gains full remote access to the system, which allows them to execute scripts and upload or download files, most notably Zloader malware payloads.

Also Read: Computer Misuse Act Singapore: The Truth And Its Offenses

Atera’s remote monitoring solution comes with 30 days of a free trial, which is more than enough for the adversaries to carry out the attack.

Dropping Zloader

The batch scripts included in the malicious installer perform some user-level checks to ensure they have admin privileges, add folder exclusions to Windows Defender, and disable tools such as “cmd.exe” and the task manager.

Next, the following additional files are downloaded into the %AppData% folder:

  • 9092.dll – the main payload, Zloader.
  • adminpriv.exe – Nsudo.exe, which enables running programs with elevated privileges.
  • appContast.dll – used to run 9092.dll and new2.bat.
  • reboot.dll – also used to run 9092.dll.
  • new2.bat – disables “Admin Approval Mode” and shuts down the computer.
  • auto.bat – placed in the Startup folder for boot persistence.

Zloader is executed with “regsvr32.exe” and injected into the “msiexec.exe” process, which communicates with the C2 server (lkjhgfgsdshja[.]com).

Finally, the “new2.bat” script edits the registry to set the privileges of all applications to the administrator level. For this change to take effect, a restart is required, so the malware forces the infected system to reboot at this point.

Microsoft code-signing checks bypassed

Check Point analysts have confirmed that the appContast.dll, which executes the Zloader payload and the registry-editing script carries a valid code signature, so the OS essentially trusts it.

Malicious DLL carrying a valid code signature
Malicious DLL carrying a valid code signature
Source: Check Point

The analysts compared the modified DLL with the original one (Atera’s) and found slight modifications in the checksum and the signature size.

These subtle changes aren’t enough to revoke the validity of the e-signature, but at the same time, allow someone to append data onto the signature section of a file.

Signature section changes in the DLL
Signature section changes in the DLL
Source: Check Point

Microsoft has known about this security gap since 2012 (CVE-2020-1599CVE-2013-3900, and CVE-2012-0151) and has attempted to fix it by releasing increasingly stricter file verification policies. However, for some reason, these remain disabled by default.

You can find instructions on fixing this issue yourself by enabling stricter policies as detailed in this legacy advisory.

Alternatively, you may paste the lines below into Notepad, save the file with the .reg extension and run it.

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Wintrust\Config]
"EnableCertPaddingCheck"="1"

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config]
"EnableCertPaddingCheck"="1"

Primarily hit victims from North America

As of January 2, 2021, the latest Zloader campaign has infected 2,170 unique systems, with 864 having US-based IP addresses and 305 more from Canada.

Latest campaign victims diagram
Latest campaign victims diagram
Source: Check Point

Although the number of victims doesn’t seem alarmingly large, these attacks are highly-targeted and can cause significant damage to each victim.

Because the infection vector is unknown, the best way to protect against this threat is to follow the policy tightening recommendations and use the IoCs (indicators of compromise) provided by Check Point’s researchers for pro-active threat detection.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us