The most common use ZLoader malware develops in all types of attacks, from attempts to steal bank passwords and other confidential information to ransomware rebellion. Now, the ZLoader campaign, which began in November, has infected some 2,200 people in 111 countries over a Windows error that Microsoft committed. stable back in 2013.
Obera have been using a number of methods to evade Zloader from previous criminal devices. For this reason, according to security firm Check Point, the attackers took advantage of the opportunity to verify Microsoft’s signature, a check confirming that the file was valid and trustworthy. First, they trick victims into setting up a legitimate remote IT device called Atera in order to access and refine weapons; that part is not a surprise or a book. From then on, hackers still had to install ZLoader without Windows Defender or other malware scanner that detects or blocks it.
This is where the error of about ten years helped. Terrorists can modify the official “Dynamic-link library” file – a well-known file that is shared between several programs to code – to install malware. The DLL file you want was signed by Microsoft, which proves it to be true. But the attackers managed to put a bad script on the file without touching the official Microsoft stamp.
“When you see a file as a signed DLL you are sure you can trust it, but this shows that it is not always the case,” says Kobi Eisenkraft, a crime intelligence investigator at Check Point. “I think we will see more of this revolutionary approach.”
Microsoft calls its signature method “Authenticode.” It released the editing in 2013 which made the Authenticode signature certified stronger, placing files that were subtly modified in this way. Initially the feature was rolled out to all Windows users, but in July 2014 Microsoft redesigned its system, making the changes impossible.
“As we worked with clients to accommodate this change, we were convinced that the impact of existing programs could be significant,” the company said. he wrote in 2014, meaning that the repair causes false positives when the official files were shown to be malicious. “As a result, Microsoft is no longer prepared to enforce authentic verification as required. The requirements for robust authentication remain in place, however, and can be customized at the client’s discretion.”
In a statement Wednesday, Microsoft stressed that users can protect themselves and repair the company that was released in 2013. And the company also said that, as Check Point researchers noted in the ZLoader campaign, risk could be exploited if the device already existed. corrupted or hackers entice people to use one of the modified files that appear to be signed. “Customers who use the updates and adjust the configuration shown in the security technology will be protected,” a Microsoft spokesman told WIRED.
But when the repair is out there, and it has been for a long time, most Windows tools do not have it, since users and system administrators need to know about the patch later. choosing to install it. Microsoft also announced in 2013 that the threat was being exploited by swindlers in “countermeasures.”