How to manage Windows Security Tamper Protection feature on Windows 10

Microsoft e-signature verification is at the center of an ongoing attack by the Malsmoke hacking group. According to security research team Check Point Research (CPR), malicious code known as ZLoader is being used to steal user credentials.

The attack stems from November 2021 and CPR says users must pay closer attention to files.

“What we found was a new ZLoader campaign exploiting Microsoft’s digital signature verification to steal sensitive information of users,” says Kobi Eisenkraft, a researcher at CPR. “People need to know that they can’t immediately trust a file’s digital signature.”

Advertisement

Malsmoke has so far successfully stolen credentials from 2,170 victims across over 100 countries. CPR warns the attack method is being updated weekly making it hard to pin down.

ZLoader is not a new threat. It is a trojan that has been previously used in attacks on financial institutions. It can steal passwords, cookies, and other data from breached systems. Malsmoke has history using the malware, previously targeting users on pornography sites.

In its new attack, the group is using Java as the method of attack. As with many cyberattacks, it starts by installing the malware by pretending to be a legitimate service, this time a remote management program.

Attack

If successful, the threat actor gains complete access to the machine and can upload and download files, run scripts, and see all data. The group runs a file with the name mshta.exe with the file appContast.dll as the parameter to offload the malware. What is troubling is Microsoft seems to trust these files.

“The file appContast.dll is signed by Microsoft, even though more information has been added to the end of the file,” CPR points out. “The added information downloads and runs the final Zloader payload, stealing user credentials and private information from victims.”

CPR is urging Microsoft users to use the update for strict Authentication verification to offset the risk. This feature is not available by default and must be enabled.

Tip of the day: When Windows 10 or Windows 11 has issues, it’s not rare to run into startup problems. Corrupted Windows files, incorrect system configuration, driver failure, or registry tweaks can all cause this issue.

Using Windows startup repair can fix boot issues caused by the most prevalent issues. Though it may seem that all is lost when you run into startup problems, it’s important to try a Windows boot repair so you can at least narrow down the source of the issue. If it doesn’t work, you may have to reinstall the OS or test your hardware.

Advertisement