01/05/2022

Hackers Are Exploiting a Flaw Microsoft Fixed Nine Years Ago

Your system could be exposed

The widely used malware ZLoader crops up in all sorts of criminal hacking, from efforts that aim to steal banking passwords and other sensitive data to ransomware attacks. Now, a ZLoader campaign that began in November has infected almost 2,200 victims in 111 countries by abusing a Windows flaw that Microsoft fixed back in 2013.

Hackers have long used a variety of tactics to sneak Zloader past malware detection tools. In this case, according to researchers at security firm Check Point, the attackers took advantage of a gap in Microsoft’s signature verification, the integrity check for ensuring that a file is legitimate and trustworthy. First, they'd trick victims into installing a legitimate remote IT management tool called Atera to gain access and device control; that part's not particularly surprising or novel. From there, though, the hackers still needed to install ZLoader without Windows Defender or another malware scanner detecting or blocking it. 

This is where the nearly decade-old flaw came in handy. Attackers could modify a legitimate “Dynamic-link library” file—a common file shared between multiple pieces of software to load code—to plant their malware. The target DLL file is digitally signed by Microsoft, which proves its authenticity. But attackers were able to inconspicuously append a malicious script to the file without impacting Microsoft's stamp of approval.

Please select this link to read the complete article from WIRED.