Connect with us

Google

Financially motivated actor breaks certificate parsing to avoid detection

Technical DetailsCode signatures on Windows executables provide guarantees about the integrity of a signed executable, as well as information about the identity of the signer. Attackers who are able to obscure their identity in signatures without affecting the integrity of the signature can avoid detection longer and extend the lifetime of their code-signing certificates to…

Published

on

Technical Details

Code signatures on Windows executables provide guarantees about the integrity of a signed executable, as well as information about the identity of the signer. Attackers who are able to obscure their identity in signatures without affecting the integrity of the signature can avoid detection longer and extend the lifetime of their code-signing certificates to infect more systems.

OpenSUpdater, a known family of unwanted software which violates our policies and is harmful to the user experience, is used to download and install other suspicious programs.The actor behind OpenSUpdater tries to infect as many users as possible and while they do not have specific targeting, most targets appear to be within the United States and prone to downloading game cracks and grey-area software.

Groups of OpenSUpdater samples are often signed with the same code-signing certificate, obtained from a legitimate certificate authority. Since mid-August, OpenSUpdater samples have carried an invalid signature, and further investigation showed this was a deliberate attempt to evade detection. In these new samples, the signature was edited such that an End of Content (EOC) marker replaced a NULL tag for the ‘parameters’ element of the SignatureAlgorithm signing the leaf X.509 certificate.

EOC markers terminate indefinite-length encodings, but in this case an EOC is used within a definite-length encoding (l= 13). 

Bytes: 30 0D 06 09 2A 86 48 86  F7 0D 01 01 0B 00 00 

Decodes to the following elements:

SEQUENCE (2 elem)

OBJECT IDENTIFIER 1.2.840.113549.1.1.11 sha256WithRSAEncryption (PKCS #1)

EOC

Security products using OpenSSL to extract signature information will reject this encoding as invalid. However, to a parser that permits these encodings, the digital signature of the binary will otherwise appear legitimate and valid. This is the first time TAG has observed actors using this technique to evade detection while preserving a valid digital signature on PE files. 

As shown in the following screenshot, the signature is considered to be valid by the Windows operating system. This issue has been reported to Microsoft.

Source

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published.

Google

Countering hack-for-hire groups

As part of TAG’s mission to counter serious threats to Google and our users, we’ve published analysis on a range of persistent threats including government-backed attackers, commercial surveillance vendors, and serious criminal operators. Today, we’re sharing intelligence on a segment of attackers we call hack-for-hire, whose niche focuses on compromising accounts and exfiltrating data as…

Published

on

By

As part of TAG’s mission to counter serious threats to Google and our users, we’ve published analysis on a range of persistent threats including government-backed attackers, commercial surveillance vendors, and serious criminal operators. Today, we’re sharing intelligence on a segment of attackers we call hack-for-hire, whose niche focuses on compromising accounts and exfiltrating data as a service.

In contrast to commercial surveillance vendors, who we generally observe selling a capability for the end user to operate, hack-for-hire firms conduct attacks themselves. They target a wide range of users and opportunistically take advantage of known security flaws when undertaking their campaigns. Both, however, enable attacks by those who would otherwise lack the capabilities to do so.

We have seen hack-for-hire groups target human rights and political activists, journalists, and other high-risk users around the world, putting their privacy, safety and security at risk. They also conduct corporate espionage, handily obscuring their clients’ role.

To help users and defenders, we will provide examples of the hack-for-hire ecosystem from India, Russia, and the United Arab Emirates and context around their capabilities and persistence mechanisms.

Source

Continue Reading

Google

Preserving languages and the stories behind them

Our Potawatomi tribe partner, Justin Neely, is using Woolaroo to promote and preserve the Potawatomi’s language, Bodéwadmimwen, among students and young people. “Words, phrases and verb conjugations show how the Potawatomi see the world — with an emphasis on connection to the earth, a high regard for mother nature and living beings, and a communal…

Published

on

By

Our Potawatomi tribe partner, Justin Neely, is using Woolaroo to promote and preserve the Potawatomi’s language, Bodéwadmimwen, among students and young people. “Words, phrases and verb conjugations show how the Potawatomi see the world — with an emphasis on connection to the earth, a high regard for mother nature and living beings, and a communal lifestyle,” says Neely. Neely felt that Woolaroo would suit children in particular, allowing them to use technology as a way to explore their heritage.

Source

Continue Reading

Google

Go on an epic adventure with Netflix’s “The Sea Beast”

Craving a different type of drive this summer? Go on a high-seas adventure without stepping off land. Activate Waze’s latest driving experience, inspired by Netflix’s newest movie, “The Sea Beast.” (Check out the trailer and the film on Netflix July 8.)Starting today, you’ll meet the dynamic duo of Maisie, a precocious stowaway, and Blue, a…

Published

on

By

Craving a different type of drive this summer? Go on a high-seas adventure without stepping off land. Activate Waze’s latest driving experience, inspired by Netflix’s newest movie,The Sea Beast.” (Check out the trailer and the film on Netflix July 8.)

Starting today, you’ll meet the dynamic duo of Maisie, a precocious stowaway, and Blue, a little beast with a huge mischief streak, and revel in the unlikely comedy of their friendship as they help you navigate every turn you take on Waze. And don’t worry: Maisie will help translate Blue’s sounds for you. You’ll also get to know some other Beasts that they find on their journey when you choose between three new Moods: Blue, Red and Yellow. Don’t forget to swap your vehicle for a Lifeboat, to get into the true adventurer’s spirit.

With Sea Beast Mode activated, get ready to explore the world together, on a journey full of surprise, wonder and funny banter — because where the map ends, the adventure begins.

If you’re interested in seeing the magic in real life, Netflix is hosting a series of experiences across the U.S. at aquariums, museums and more to celebrate the launch of The Sea Beast.

For a drive that takes you to the seas, visit Waze or click “My Waze” in your Waze app and tap the “Turn on Sea Beast Mode” banner to activate. It’s available globally, in English, for a limited time.

Source

Continue Reading

Trending

Copyright © 2021 Today's Digital.