Google’s THREAT ANALYSIS GROUP has recently discovered a type of malware that exploits a new method to circumvent detection by security products, and this malware easily modifies the digital signature of its files.
Neel Mehta one of their security researchers who has detected this malware in the Google Threat Analysis Group has claimed this method was utilized by an adware strain called OpenSUpdater.
This method is a bit challenging to understand especially by the users who do not know about this kind of attack.
However, Mehta after detecting the malware refers to a small edit that was made by the developers of OpenSUpdater in a small field inside the digital signature of its payloads.
The code signatures that are present on Windows executables present guarantees regarding the integrity of a confirmed executable, not only this but it also provides data and tells the actual identity of the signer.
Threat actors can avoid detection if they are capable to disguise their identity in signatures outwardly attacking the integrity of the signature.
Moreover, the threat actors can also increase the lifetime of their code-signing certificates with the motive to infect more systems.
But, the OpenSUpdater is a very well-known known malware family, and they are famous for unwanted software that generally breaks the policies of Google.
Apart from all this, the malware group is quite harmful, their attacks puts a great impact on user’s experience, and they generally download and install other distrustful programs.
While the hackers who were behind this attack have the motive to infect as many users as they can, and after investigating the targets most of the targets appear to be within the United States and inclined to download game snaps and grey-area software as their target.
Rupturing Certificate Parsing for Detection Evasion
The OpenSUpdater samples have provided an invalid signature, and additional research showed this was a willful try to evade detection.
However, the security products are utilizing OpenSSL to pluck the signature data, and later it will reject this encoding as invalid. And to a parser that authorizes these encodings, the digital signature of the binary will resemble legitimate and efficient.
Once the issues were discovered, the Google TAG researcher has also communicated with Microsoft to summarize this detection evasion tactic.
Not only this but Google TAG is currently striving with the Google Safe Browsing team to obstruct this malware group of software from further increasing onto other victims’ computers.