Google Says Threat Actors Using New Code Signing Tricks to Evade Detection
Financially motivated threat actors have started using new code signing tricks to increase the chances of their software evading detection on Windows systems, Google’s Threat Analysis Group reported on Thursday.
The new technique has been used by the operators of OpenSUpdater, which cybersecurity vendors have classified as adware, potentially unwanted program (PUP), or potentially unwanted application (PUA). These types of pieces of software can ruin the user experience and they may attempt to download and install other shady programs.
The operation observed by Google has impacted many users in the United States, particularly people who download game cracks and what the tech giant has described as “grey-area software.”
OpenSUpdater operators have been signing their files using code-signing certificates from a legitimate certificate authority. In mid-August, Google noticed that some samples had an invalid signature, and further analysis revealed that this was actually done as part of an attempt to evade detection.
“In these new samples, the signature was edited such that an End of Content (EOC) marker replaced a NULL tag for the ‘parameters’ element of the SignatureAlgorithm signing the leaf X.509 certificate,” Google researchers explained in a blog post. “EOC markers terminate indefinite-length encodings, but in this case an EOC is used within a definite-length encoding.”
This type of signature is detected as invalid by security products that leverage OpenSSL, but Google researchers noticed that the Windows operating system treats the signature as valid.
Google noticed that OpenSUpdater authors have been experimenting with invalid encodings — they identified other variations as well — in an effort to find ways of evading detection.
Google said it reported its findings to Microsoft. SecurityWeek has reached out to Microsoft for comment and will update this article if the company responds.