HACKERS are exploiting a Microsoft digital signature vulnerability that allows them to steal personal data and install viruses, affecting thousands of users.
About 2,100 people have been affected by the virus, known as ZLoader, and researchers believe the hacker’s latest campaign began last November.
Victims in the United States and Canada were affected, but the malware was identified in 111 countries.
ZLoader is known to have provided banking trojans in the past, ZDNet report.
Cybercriminals use software called Atera to infect systems.
Atera appears to show a fake Java installer, but the hacker is installing an agent that is connected to the user’s device.
Files that target Windows Defender and another that launch ZLoader are added to the computer.
It suppresses warnings issued by the cybersecurity tool and appears to exploit a vulnerability in Microsoft’s digital signature verification system.
Kobi Eisenkraft, a malware researcher at Test marks, says: “People need to know that they can’t immediately trust a file’s digital signature.
“What we discovered is a new ZLoader campaign that exploits Microsoft’s digital signature verification to steal sensitive user information.”
Microsoft apparently resolved the bug in 2013 but a year later tech bosses turned the patch into an opt-in feature.
“This fix is disabled by default, which is what allows the malware author to modify the signed file,” the researchers said.
A Microsoft spokesperson told ZDNet: “We released a security update (CVE-2013-3900) in 2013 to help protect our customers from exploiting this vulnerability.
“Customers who apply the update and activate the configuration indicated in the security advisory will be protected.
“Exploiting this vulnerability requires entering the user’s machine or convincing the victim to run a specially crafted, signed PE file.”
“It appears that the authors of the ZLoader campaign have been very hard on the defensive and are still updating their methods on a weekly basis,” Eisenkraft said.
It comes just months after Microsoft warned that ZLoader was being distributed through Google keyboard ads to infect vulnerable computers.
Americans are also warned update their computer after the “CVE-2021-44228” vulnerability in Apache Log4j software was discovered as a vulnerability in credential-stealing malware.
Windows 10 users have been warned about about 60 vulnerabilities that have been found by researchers.
One vulnerability has been discovered as CVE-2021-43890 – a rogue vulnerability in the Windows AppX installer that can be used to deliver malware.
This malware package is installed by unsuspecting users when they open infected documents.
Microsoft says it is aware of the vulnerability and that researchers are working to resolve it.
Chad McNaughton, of Automox, warned that organizations should act to “fix” their systems when the exploit is “working”.
The Sun has reached out to Microsoft for comment.
https://www.thesun.co.uk/tech/17228389/zloader-malware-exploits-microsoft-signature-verification/ ZLoader malware warning as thousands of people attacked by virus exploit Microsoft signature verification to steal data