Jump to content
  • Google Warns of a New Way Hackers Can Make Malware Undetectable on Windows

    aum

    • 860 views
    • 2 minutes
     Share


    • 860 views
    • 2 minutes

    Cybersecurity researchers have disclosed a novel technique adopted by threat actors to deliberately evade detection with the help of malformed digital signatures of its malware payloads.

     

    "Attackers created malformed code signatures that are treated as valid by Windows but are not able to be decoded or checked by OpenSSL code — which is used in a number of security scanning products," Google Threat Analysis Group's Neel Mehta said in a write-up published on Thursday.

     

    The new mechanism was observed to be exploited by a notorious family of unwanted software known as OpenSUpdater that's used to download and install other suspicious programs on compromised systems. Most targets of the campaign are users located in the U.S. who are prone to downloading cracked versions of games and other grey-area software.

     

    The findings come from a set of OpenSUpdater samples uploaded to VirusTotal at least since mid-August.

     

    digital-cert.jpg

     

    Not only are the artifacts signed with an invalid leaf X.509 certificate that's edited in such a manner that the 'parameters' element of the SignatureAlgorithm field included an End-of-Content (EOC) marker instead of a NULL tag. Although such encodings are rejected as invalid by-products using OpenSSL to retrieve signature information, checks on Windows systems would permit the file to be run without any security warnings.

     

    "This is the first time TAG has observed actors using this technique to evade detection while preserving a valid digital signature on PE files," Mehta said.

     

    "Code signatures on Windows executables provide guarantees about the integrity of a signed executable, as well as information about the identity of the signer. Attackers who are able to obscure their identity in signatures without affecting the integrity of the signature can avoid detection longer and extend the lifetime of their code-signing certificates to infect more systems."

     

    Source

    • Like 2

    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...