Google warns users how hackers can make malware undetectable on Windows. According to Google Threat Analysis Group’s Neel Mehta in a blog post published on Thursday said, “Attackers created malformed code signatures that are treated as valid by Windows but are not able to be decoded or checked by OpenSSL code — which is used in a number of security scanning products.”
The researchers warned about a novel technique adopted by threat actors to deliberately evade detection with the help of malformed digital signatures of its malware payloads. The bad actors were spotted using unwanted software known as OpenSUpdater. These were used to download and install other suspicious programs on compromised systems. The attackers targeted users in the US, who are prone to downloading cracked versions of games and other grey-area software.
This was revealed from a set of OpenSUpdater samples uploaded to VirusTotal at least since mid-August.It is noticed that the artifacts signed with an invalid leaf X.509 certificate that’s edited in such a manner that the ‘parameters’ element of the SignatureAlgorithm field included an End-of-Content (EOC) marker instead of a NULL tag. Usually, such encodings are rejected as invalid by-products using OpenSSL to retrieve signature information. Yet the checks on Windows systems would permit the file to be run without any security warnings.
Mr. Mehta said, “This is the first time TAG has observed actors using this technique to evade detection while preserving a valid digital signature on PE files.”
He further added, “Code signatures on Windows executables provide guarantees about the integrity of a signed executable, as well as information about the identity of the signer. Attackers who are able to obscure their identity in signatures without affecting the integrity of the signature can avoid detection longer and extend the lifetime of their code-signing certificates to infect more systems.”