Hackers are taking advantage of vulnerabilities that Microsoft fixed 9 years ago

widely used The malware ZLoader has appeared in various criminal hacking activities, from efforts aimed at stealing bank passwords and other sensitive data to Ransomware attack. Now, the ZLoader campaign that began in November has abused Microsoft stable Back to 2013.

Hackers have long used various strategies to get Zloader to bypass malware detection tools. In this case, according to researchers from the security company Check Point, the attacker took advantage of a vulnerability in Microsoft’s signature verification, and integrity checks are used to ensure that the files are legal and trustworthy. First, they will trick victims into installing a legitimate remote IT management tool called Atera to gain access and device control; that part is not particularly surprising or novel. However, from there, hackers still need to install ZLoader without Windows Defender or other malware scanners to detect or prevent it.

This is where the flaws from nearly a decade ago come in handy. An attacker can modify a legitimate “dynamic link library” file-a common file that is shared among multiple software to load code-to plant their malware. The target DLL file is digitally signed by Microsoft to prove its authenticity. But attackers can attach malicious scripts to files in an unobtrusive manner without affecting Microsoft’s approval stamp.

Kobi Eisenkraft, a Check Point malware researcher, said: “When you see a signed file like a DLL, you are pretty sure you can trust it, but it shows that this is not always the case.” “I think we will see More of this attack method.”

Microsoft calls its code signing process “Authenticode”. It released a fix in 2013 to make Authenticode’s signature verification more stringent to mark files that were cleverly manipulated in this way. Initially the patch will be pushed to all Windows users, but in July 2014, Microsoft revised its plan to make the update optional.

“When we work with customers to adapt to this change, we determine that the impact on existing software may be significant,” the company wrote In 2014, this meant that repairs resulted in false positives, where legitimate files were marked as potentially malicious. “Therefore, Microsoft no longer plans to make stricter verification behaviors the default requirement. However, the basic functions for stricter verification still exist and can be enabled at the customer’s discretion.”

In a statement on Wednesday, Microsoft emphasized that users can protect themselves through the company’s 2013 fix. The company pointed out that, as Check Point researchers observed in the ZLoader campaign, only when the device has been compromised or the attacker directly tricks the victim into running one of the manipulative files that appear to be signed. “Customers who apply the update and enable the configuration indicated in the security bulletin will be protected,” a Microsoft spokesperson told WIRED.

However, although the fix already exists and has always been there, many Windows devices may not have it enabled because users and system administrators need to understand the patch, and then Choose to set it up. Microsoft pointed out in 2013 that hackers are actively exploiting the vulnerability in “targeted attacks.”

Source link

Leave a Reply

Your email address will not be published. Required fields are marked *