Financially motivated threat actors have started using new code signing tricks to increase the chances of their software evading detection on Windows systems.
The new technique has been used by the operators of OpenSUpdater, which classified as adware, potentially unwanted program (PUP), or potentially unwanted application (PUA). These types of pieces of software can ruin the user experience and they may attempt to download and install other shady programs.
OpenSUpdater operators have been signing their files using code-signing certificates from a legitimate certificate authority. Google noticed that some samples had an invalid signature, and further analysis revealed that this was actually done as part of an attempt to evade detection.
The signature was edited such that an End of Content (EOC) marker replaced a NULL tag for the ‘parameters’ element of the Signature Algorithm signing the leaf X.509 certificate. EOC markers terminate indefinite-length encodings, but in this case an EOC is used within a definite-length encoding. This type of signature is detected as invalid by security products that leverage OpenSSL, but the Windows OS treats the signature as valid.
The OpenSUpdater authors have been experimenting with invalid encodings they identified other variations as well in an effort to find ways of evading detection.