Ransomware gang Malsmoke has infiltrated over 2,000 computers around the world by taking advantage of a nine-year-old vulnerability in Microsoft Windows. The group is using legitimate software to launch its malware, making the attacks difficult to detect, and security experts say the incident highlights the importance of regular patching of systems.
Malsmoke and the nine-year-old Microsoft Windows vulnerability
The recent attacks were first spotted by cybersecurity company Check Point, and so far over 2,000 victims have downloaded the malicious file, according to a report from the company. In it, Check Point researcher Golan Cohen says “the techniques incorporated in the infection chain include the use of legitimate remote management software to gain initial access to the target machine. The malware then exploits Microsoft’s digital signature verification method to inject its payload into a signed system DLL to further evade the system’s defences.”
The vulnerability is known as the WinVerifyTrust signature validation vulnerability and it allows cybercriminals to implement arbitrary code, making small changes to the file that will retain the validity of the digital signature, regardless of the fact that the file has been tampered with.
“The key piece of information here was they were able to make use of legitimate Microsoft Windows programs and components to deploy their final payload, the Zloader malware,” explains Alex Hinchliffe, threat intelligence analyst at Palo Alto Networks, who says this technique is known as "living off the land". Zloader is a popular banking Trojan, used by well-established ransomware gangs such as Conti and Ryuk.
Microsoft patched the vulnerability when it was first discovered in 2013, but crucially did not make the patch an automatic update for all Windows users. At the time the company said this was because the patch could cause further problems, such as falsely flagging genuine files as malicious. But nine years on it means many Windows devices are still vulnerable.
Malsmoke has been taking advantage of the vulnerability using remote management software called Atera to upload its malware. Using Atera is significant as it makes the campaign appear even more innocuous, Hinchliffe adds. “If detection rates on files used by the actors are low, or legitimate software is used, such as Atera in this case, it's harder for defenders to understand the good from the bad," he says.
Who are MalSmoke?
First spotted in the second half of 2021, MalSmoke has become known for favouring so-called “malvertising,” disguising malware in false adverts. In a report released by Malwarebytes, the gang is described as “daring and successful" as it "goes after larger publishers and a variety of advertising networks.”
This recent activity is a new direction for the gang, says Hinchliffe. “Using signed applications to load malicious scripts seems to be new for these actors but ultimately the victims will be attacked for the usual reasons – access, profit, ransomware," he says.
Using Microsoft vulnerabilities is popular
With its software so widely used by businesses and consumers, vulnerabilities in Microsoft products are a popular target for ransomware gangs. Earlier this week Tech Monitor reported a ransomware group, Vice Society, exploiting a Microsoft exploit known as the PrintNightmare vulnerability, to take down the card readers in over 600 UK branches of supermarket chain Spar.
In September, researchers at Microsoft and security company Risk IQ identified several campaigns using the zero-day CVE-2021-40444, which allows attackers to craft malicious Microsoft office documents. And in August, a former Microsoft security employee warned that cybercriminals were exploiting vulnerabilities in Microsoft Exchange email servers en masse, due to unpatched systems.
The age of the vulnerability being exploited by Malsmoke highlights the importance of remaining diligent with patching, says Hinchliffe: “Certainly if the patch is not installed it's easier for attackers to leverage and launch attacks,” he adds. Microsoft's security team itself says that with "known ransomware-associated access brokers using it, we highly recommend applying security patches and updating affected products and services as soon as possible".