Old Windows vulnerability re-used in modern attacks

As documented by Checkpoint, the vulnerability CVE-2013-3900 is being exploited as part of the new infection chain used by Zloader, a banking malware designed to steal user credentials and private information.

Notable about CVE-2013-3900 (a code signature validation vulnerability), is that it allows remote attackers to execute arbitrary code via specially crafted executables by making subtle enough changes to the file without actually revoking the validity of the digital signature.

The vulnerability was originally published by Microsoft in 2013, but the company decided at the time not to enforce the stricter verification behavior as a default functionality. The latest republishing is probably following the revelations about the vulnerability being used in modern malware as an additional detection evasion technique.

In its blog post Checkpoint warns about a particular system DLL (AppResolver.dll) used in the infection chain: although the threat actor renamed the DLL into "appContast.dll" and appended a malicious script to the file, this still appears as legitimately signed by Microsoft.

Despite this novel technique, Microsoft is still not planning to enforce the stricter verification behavior as a default functionality on supported releases of Microsoft Windows. This behavior remains available as an opt-in feature via registry key modifications to be deployed by customers.