[TheRecord] Google finds adware strain abusing novel file signature evasion technique

One of Google’s security teams said it found a malware strain abusing a new technique to evade detection from security products by cleverly modifying the digital signature of its payloads.

Discovered by Neel Mehta, a security researcher for the Google Threat Analysis Group (TAG), the technique was seen abused by an adware strain named OpenSUpdater.

In these new samples, the signature was edited such that an End of Content (EOC) marker replaced a NULL tag for the ‘parameters’ element of the SignatureAlgorithm signing the leaf X.509 certificate. EOC markers terminate indefinite-length encodings, but in this case an EOC is used within a definite-length encoding (l= 13).

Neel Mehta, analyst for the Google Threat Analysis Group

While the technical explanation is a bit hard to understand for non-technical users, Mehta is referring to a tiny edit the OpenSUpdater gang made in a small field inside the digital signature of their payloads.

On Windows systems, this tiny edit does not impact the operating system’s file signature checks, which when passed, allow the file to run without any security warnings.

However, Mehta says that security products, most of which use the OpenSSL library to parse and extract a file’s signature information, will fail to scan files that had their digital signature modified by this method.

“This is the first time TAG has observed actors using this technique to evade detection while preserving a valid digital signature on PE files,” Mehta explained today.

The Google researcher said he reported the issue to Microsoft so the Redmond-based company can start work on modifying its signature checking algorithms.

Files infected with the OpenSUpdater adware are currently distributed via game cracks and pirated software.

Once they infect a system, the adware is used to download and install unwanted software, part of pay-per-install schemes.

Google said most OpenSUpdater victims are located in the US.

The post Google finds adware strain abusing novel file signature evasion technique appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

[ZDNet] NortonLifeLock posts double-digit revenue growth in Q2

All posts, ZDNet

The antivirus vendor also reported its eighth consecutive quarter of sequential customer growth, with a direct customer count of 23.3 million. Source: Read More (Latest topics for ZDNet in Security)

Read More

[ZDNet] Thanks, dad: jammer used to stop kids going online, wipes out a town’s internet by mistake

All posts, ZDNet

The -interesting- control method could lead to a hefty fine and jail time. Source: Read More (Latest topics for ZDNet in Security)

Read More

[HackerNews] Meta Expands Facebook Protect Program to Activists, Journalists, Government Officials

All posts, HackerNews

Meta, the company formerly known as Facebook, on Thursday announced an expansion of its Facebook Protect security program to include human rights defenders, activists, journalists, and government officials who are more likely to be targeted by bad actors across its social media platforms. “These people are at the center of critical communities for public debate,” […]

Read More

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.