June 5, 2023

Financially motivated threat actors have started using new code signing tricks to increase the chances of their software evading detection on Windows systems.

The new technique has been used by the operators of OpenSUpdater, which classified as adware, potentially unwanted program (PUP), or potentially unwanted application (PUA). These types of pieces of software can ruin the user experience and they may attempt to download and install other shady programs.

OpenSUpdater operators have been signing their files using code-signing certificates from a legitimate certificate authority. Google noticed that some samples had an invalid signature, and further analysis revealed that this was actually done as part of an attempt to evade detection.

The signature was edited such that an End of Content (EOC) marker replaced a NULL tag for the ‘parameters’ element of the Signature Algorithm signing the leaf X.509 certificate. EOC markers terminate indefinite-length encodings, but in this case an EOC is used within a definite-length encoding. This type of signature is detected as invalid by security products that leverage OpenSSL, but the Windows OS treats the signature as valid.

The OpenSUpdater authors have been experimenting with invalid encodings they identified other variations as well in an effort to find ways of evading detection.

Tags:

Leave a Reply

You may have missed

BlackSuit Ransomware Dissection

BlackSuit Ransomware Dissection

June 4, 2023
TheCyberThrone CyberSecurity Newsletter Top 5 Articles – May, 2023

TheCyberThrone CyberSecurity Newsletter Top 5 Articles – May, 2023

June 4, 2023
Cisco buys Armorblox

Cisco buys Armorblox

June 3, 2023
CISA KEV Update Part I – May 2023

CISA KEV Update Part I – May 2023

June 3, 2023
Gigabyte Motherboards Backdoor’ed

Gigabyte Motherboards Backdoor’ed

June 3, 2023
MOVEit Vulnerability Exploited in Wild

MOVEit Vulnerability Exploited in Wild

June 2, 2023
%d bloggers like this: