Connect with us

Google

Financially motivated actor breaks certificate parsing to avoid detection

Technical DetailsCode signatures on Windows executables provide guarantees about the integrity of a signed executable, as well as information about the identity of the signer. Attackers who are able to obscure their identity in signatures without affecting the integrity of the signature can avoid detection longer and extend the lifetime of their code-signing certificates to…

Published

on

Technical Details

Code signatures on Windows executables provide guarantees about the integrity of a signed executable, as well as information about the identity of the signer. Attackers who are able to obscure their identity in signatures without affecting the integrity of the signature can avoid detection longer and extend the lifetime of their code-signing certificates to infect more systems.

OpenSUpdater, a known family of unwanted software which violates our policies and is harmful to the user experience, is used to download and install other suspicious programs.The actor behind OpenSUpdater tries to infect as many users as possible and while they do not have specific targeting, most targets appear to be within the United States and prone to downloading game cracks and grey-area software.

Groups of OpenSUpdater samples are often signed with the same code-signing certificate, obtained from a legitimate certificate authority. Since mid-August, OpenSUpdater samples have carried an invalid signature, and further investigation showed this was a deliberate attempt to evade detection. In these new samples, the signature was edited such that an End of Content (EOC) marker replaced a NULL tag for the ‘parameters’ element of the SignatureAlgorithm signing the leaf X.509 certificate.

EOC markers terminate indefinite-length encodings, but in this case an EOC is used within a definite-length encoding (l= 13). 

Bytes: 30 0D 06 09 2A 86 48 86  F7 0D 01 01 0B 00 00 

Decodes to the following elements:

SEQUENCE (2 elem)

OBJECT IDENTIFIER 1.2.840.113549.1.1.11 sha256WithRSAEncryption (PKCS #1)

EOC

Security products using OpenSSL to extract signature information will reject this encoding as invalid. However, to a parser that permits these encodings, the digital signature of the binary will otherwise appear legitimate and valid. This is the first time TAG has observed actors using this technique to evade detection while preserving a valid digital signature on PE files. 

As shown in the following screenshot, the signature is considered to be valid by the Windows operating system. This issue has been reported to Microsoft.

Source

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Google

Key takeaways from the ad tech trial

This week we finished making our case in the Department of Justice’s lawsuit about some of our advertising technology. Source

Published

on

By

This week we finished making our case in the Department of Justice’s lawsuit about some of our advertising technology.

Source

Continue Reading

Google

24 startups fueling Ukraine’s future

Meet the next 2024 cohort of Google for Startups Ukraine Support Fund recipients. Source

Published

on

By

Meet the next 2024 cohort of Google for Startups Ukraine Support Fund recipients.

Source

Continue Reading

Google

NotebookLM adds audio and YouTube support, plus easier sharing of Audio Overviews

Today, we’re expanding the types of sources you can use with NotebookLM and giving you an easier way to share an Audio Overview. Source

Published

on

By

Today, we’re expanding the types of sources you can use with NotebookLM and giving you an easier way to share an Audio Overview.

Source

Continue Reading

Trending

Copyright © 2021 Today's Digital.