Investigators within the cybersecurity industry have revealed a unique approach used by a threat actor to purposefully avoid detection using flawed digital signatures of their malware payloads.
In a written report on Thursday, Google Threat Analysis Group’s Neel Mehta claimed attackers produced flawed code signatures that seem to be valid by Windows and are not capable of somehow be decoded or controlled by OpenSSL code.
A notorious family of undesirable software, called OpenSUpdater, used it to download and install other suspected programming on affected computers, was found to be exploiting the new technique. Users in the U. S., most likely to download pirated game versions and other gray-area software, were among the campaign or cyber attack targets.
However, these conclusions are made from samples of OpenSUpdater that have been uploaded to VirusTotal since at least mid-August.
Whilst still opponents are dependent on unlawfully procured digital certificates in previous malware and undesired software, or even have embedded attack code in digitally signed software components by trying to poison the supply chain, OpenS Updater continues to stand out because it uses deformed signatures deliberately to slip through the defense. Whereas the attack code has been entered into the digitally signed software.
“This is the first time TAG has observed actors using this technique to evade detection while preserving a valid digital signature on PE files,” Mehta said.
“Code signatures on Windows executables provide guarantees about the integrity of a signed executable, as well as information about the identity of the signer. Attackers who can obscure their identity in signatures without affecting the integrity of the signature can avoid detection longer and extend the lifetime of their code-signing certificates to infect more systems.”
The artifacts are authenticated/signed with an invalid leaf X.509 certificate – modified in such a way so as contain an End-Of-Content (EOC) marker rather than a NULL tag in the ‘parameters’ feature of the Signature Algorithm fields. Despite products that use OpenSSL to get signature data are denied as invalid, tests on Windows PCs could enable the file to be executed without any notice of security.