Warning over ZLoader malware as thousands are hit by virus that exploits Microsoft signature verification to steal data
HACKERS are exploiting a Microsoft e-signature flaw that allows them to steal personal data and install a virus, affecting thousands of users.
Around 2,100 people have been affected by the virus, known as ZLoader, and researchers believe the hackers' latest campaign started in November last year.
Victims in the US and Canada have been impacted but the malware has been identified in 111 countries.
ZLoader is known to have delivered banking trojans in the past, reports.
Cybercriminals use software known as Atera to infect systems.
Atera appears to show a fake Java installer but hackers are installing an agent that's connected to users' devices.
Files that target Windows Defender and another which launches ZLoader are added to computers.
It stops alerts being issued by the cybersecurity tool and appears to exploit a flaw within Microsoft’s e-signature verification system.
Most read in Tech
Kobi Eisenkraft, a malware researcher at , said: “People need to know that they can’t immediately trust a file’s digital signature.
“What we found was a new ZLoader campaign exploiting Microsoft’s digital signature verification to steal sensitive information of users.”
Microsoft appeared to address the bug in 2013 but a year later tech bosses turned the patch into an opt-in feature.
Researchers said: “This fix is disabled by default, which is what enables the malware author to modify the signed file.”
A Microsoft spokesperson told ZDNet: “We released a security update (CVE-2013-3900) in 2013 to help keep customers protected from exploitation of this vulnerability.
“Customers who apply the update and enable the configuration indicated in the security advisory will be protected.
“Exploitation of this vulnerability requires the compromise of a user's machine or convincing a victim to run a specially crafted, signed PE file."
HACK FEARS
Eisenkraft said: “It seems like the ZLoader campaign authors put great effort into defense evasion and are still updating their methods on a weekly basis.”
It comes just months after Microsoft warned that ZLoader is being spread through Google keyboard advertisements to infect vulnerable computers.
Americans were also warned to update their computers after the "CVE-2021-44228” flaw in the software Apache Log4j was found as a vulnerability in credential-stealing malware.
Windows 10 users were warned about around 60 vulnerabilities that were found by researchers.
One flaw that was discovered was the CVE-2021-43890 – a spoofing vulnerability in the Windows AppX installer that can be used to deliver malware.
This malicious software package gets installed unsuspectingly by users when they open infected documents.
Microsoft said they are aware of the vulnerability and researchers are working to address the issue.
READ MORE SUN STORIES
Chad McNaughton, of Automox, warned that organizations should take action to “remediate” their systems as the exploitation is “active”.
The Sun has approached Microsoft for comment.