Last Updated on 22/11/2021 by Sanskriti
Yet another technique has been revealed by the researchers through which the hackers can use flawed digital signatures in malware payloads to escape detection.
Neel Mehta, Google’s threat analysis group said in a report published on Thursday, “Attackers created malformed code signatures that are treated as valid by Windows but are not able to be decoded or checked by OpenSSL code — which is used in a number of security scanning products.”
The new technique was discovered to be utilized by the OpenSUpdater family of undesirable software, which is renowned for downloading and installing additional dubious applications on infected PCs. The majority of the campaign’s targets are individuals in the United States who are prone to downloading cracked games and other grey-area products.
The information comes from a series of OpenSUpdater samples that have been uploaded to VirusTotal since at least mid-August.
Not only are the artifacts signed with an invalid leaf X.509 certificate that was edited in such a way that the ‘parameters’ element of the Signature Algorithm field included an End-of-Content (EOC) marker instead of a NULL tag, but they’re also signed with an invalid leaf X.509 certificate that was edited in such a way that the ‘parameters’ element of the Signature Algorithm field included an End-of.
Despite the fact that such encodings are rejected as incorrect by-products when using OpenSSL to get signature information, checks on Windows systems would allow the file to be executed without any security alerts.
“This is the first time TAG has observed actors using this technique to evade detection while preserving a valid digital signature on PE files,” Mehta said.
“Code signatures on Windows executables provide guarantees about the integrity of a signed executable, as well as information about the identity of the signer. Attackers who are able to obscure their identity in signatures without affecting the integrity of the signature can avoid detection longer and extend the lifetime of their code-signing certificates to infect more systems.”