Contents:
The researchers from Google were the ones that spotted the malware developers creating malformed code signatures.
The signatures created are likely to be seen as valid in Windows in order to bypass security software.
This method is actively used to spread OpenSUpdater, a family of unwanted software known as riskware that injects advertisements into victims’ browsers and installs other unwanted programs on their machines.
The financially motivated threat actors behind OpenSUpdater will coordinate campaigns to infect as many devices as possible.
The majority of the targets are from the United States, and they are most likely looking to obtain game cracks and other potentially dangerous software.
Security researcher Neel Mehta from the Google Threat Analysis Group (TAG) was the one that discovered the fact that OpenSUpdater had started signing samples with legitimate but intentionally malformed certificates, which was accepted by Windows but rejected by OpenSSL.
By interrupting certificate parsing for OpenSSL (which will be unable to decode and validate digital signatures), the malicious samples will just be undetectable by some security solutions that depend on OpenSSL-based detection protocols, enabling them to carry out their malicious tasks on victims’ machines.
Groups of OpenSUpdater samples are often signed with the same code-signing certificate, obtained from a legitimate certificate authority. Since mid-August, OpenSUpdater samples have carried an invalid signature, and further investigation showed this was a deliberate attempt to evade detection. In these new samples, the signature was edited such that an End of Content (EOC) marker replaced a NULL tag for the ‘parameters’ element of the SignatureAlgorithm signing the leaf X.509 certificate.
EOC markers terminate indefinite-length encodings, but in this case an EOC is used within a definite-length encoding (l= 13).
It looks like the OpenSUpdater is able to bypass security defenses by enabling the samples deployed on a victim’s computer. This can happen as any security solutions using OpenSSL to parse digital signatures will ignore the malicious nature of the samples because they are rejecting the signature information as invalid, confusing, and breaking the malware scan process.
Since first discovering this activity, OpenSUpdater’s authors have tried other variations on invalid encodings to further evade detection.
This is the first time TAG has observed actors using this technique to evade detection while preserving a valid digital signature on PE files.
According to the publication BleepingComputer, the Google TAG team is working with the Google Safe Browsing team in an attempt to block this family of unwanted software from further spreading onto other victims’ computers.