Google researchers were the ones who discovered that malware developers were creating malformed code signings.
The signature created may be considered valid on Windows to bypass security software.
This method is being actively used to spread OpenS Updater, a family of unwanted software called riskware that inserts ads into the victim’s browser and installs other unwanted programs on the machine.
The financially motivated threat actors behind OpenSUpdater coordinate their campaigns to infect as many devices as possible.
Most of the targets are from the United States and may be trying to get game cracks or other potentially dangerous software.
Security researcher Neil Mefta Members of the Google Threat Analysis Group (TAG) have discovered the fact that OpenSUpdater has begun to sign samples with legitimate but deliberately malformed certificates. This was accepted by Windows but rejected by OpenSSL.
By interrupting certificate parsing OpenSSL (You will not be able to decode and verify your digital signature), malicious samples will not be detected by some security solutions that rely on OpenSSL-based detection protocols, allowing you to perform malicious tasks on the victim’s machine. Become.
Groups of OpenSUpdater samples are often signed with the same code signing certificate obtained from a legitimate certificate authority. Since mid-August, the OpenSUpdater sample has contained an invalid signature, and further investigation revealed that this was a deliberate attempt to evade detection. In these new samples, the signature was edited so that the End of Content (EOC) marker replaces the null tag in the Parameter element. Signature Algorithm Sign the leaf X.509 certificate.
The EOC marker ends the indefinite length encoding, in which case the EOC is used within the indefinite length encoding (l = 13).
OpenSUpdater seems to be able to bypass security defenses by enabling a sample deployed on the victim’s computer. This can happen because a security solution that uses OpenSSL to parse digital signatures invalidates and confuses signature information and disrupts the malware scanning process, ignoring the malicious nature of the sample. there is.
Since the first discovery of this activity, the creators of OpenSUpdater have tried other variations with invalid encodings to further avoid detection.
This is the first time TAG has observed an actor using this technique to evade detection while retaining a valid digital signature in the PE file.
According to the publication Bleeping ComputerThe Google TAG team is working with the Google Safe Browsing team to prevent this family of unwanted software from spreading further to other victims’ computers.
Malware developers have noticed that they are working on a Windows validation trick
https://heimdalsecurity.com/blog/malware-developers-working-on-tricking-windows-validation/ Malware developers have noticed that they are working on a Windows validation trick