[TheRecord] Google finds adware strain abusing novel file signature evasion technique

One of Google’s security teams said it found a malware strain abusing a new technique to evade detection from security products by cleverly modifying the digital signature of its payloads.

Discovered by Neel Mehta, a security researcher for the Google Threat Analysis Group (TAG), the technique was seen abused by an adware strain named OpenSUpdater.

In these new samples, the signature was edited such that an End of Content (EOC) marker replaced a NULL tag for the ‘parameters’ element of the SignatureAlgorithm signing the leaf X.509 certificate. EOC markers terminate indefinite-length encodings, but in this case an EOC is used within a definite-length encoding (l= 13).

Neel Mehta, analyst for the Google Threat Analysis Group

While the technical explanation is a bit hard to understand for non-technical users, Mehta is referring to a tiny edit the OpenSUpdater gang made in a small field inside the digital signature of their payloads.

On Windows systems, this tiny edit does not impact the operating system’s file signature checks, which when passed, allow the file to run without any security warnings.

However, Mehta says that security products, most of which use the OpenSSL library to parse and extract a file’s signature information, will fail to scan files that had their digital signature modified by this method.

“This is the first time TAG has observed actors using this technique to evade detection while preserving a valid digital signature on PE files,” Mehta explained today.

The Google researcher said he reported the issue to Microsoft so the Redmond-based company can start work on modifying its signature checking algorithms.

Files infected with the OpenSUpdater adware are currently distributed via game cracks and pirated software.

Once they infect a system, the adware is used to download and install unwanted software, part of pay-per-install schemes.

Google said most OpenSUpdater victims are located in the US.

The post Google finds adware strain abusing novel file signature evasion technique appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

[HackerNews] NVIDIA Jetson Chipsets Found Vulnerable to High-severity Flaws

All posts, HackerNews

U.S. graphics chip specialist NVIDIA has released software updates to address a total of 26 vulnerabilities impacting its Jetson system-on-module (SOM) series that could be abused by adversaries to escalate privileges and even lead to denial-of-service and information disclosure. <!–adsense–> Tracked from CVE‑2021‑34372 through CVE‑2021‑34397, the flaws affect products Jetson TX1, TX2 series, Source: Read More (The […]

Read More

Daily NCSC-FI news followup 2019-09-23

Dear network operators, please use the existing tools to fix security www.zdnet.com/article/dear-network-operators-please-use-the-existing-tools-to-fix-security/ Internet routing may well be a screaming car wreck, but a deployathon by the Asia Pacific Network Information Centre (APNIC) has shown how short, focused efforts can make a difference.. Routers use the Border Gateway Protocol (BGP) to tell each other the current […]

Read More

[BleepingComputer] GitHub’s new policies allow removal of PoC exploits used in attacks

GitHub announced on Friday their updated community guidelines that explain how the company will deal with exploits and malware samples hosted on their service. […] Source: Read More (BleepingComputer)

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.