Researchers from Google's Threat Analysis Group (TAG) have spotted what they describe as a new technique by a financially motivated attacker to sneak adware and other unwanted software past malware detection tools.
In a blog post this week, Google researcher Neel Mehta described the threat actor as using a software code-signing certificate from a legitimate certificate authority to create signatures that can't be decoded or inspected by security tools that use OpenSSL code but are accepted as valid by Windows.
This attacker has been using these signatures to distribute OpenSUpdater, a known malware family that is used to install other unwanted and potentially harmful software on infected systems. The operator of OpenSUpdater has been observed trying to infect as many systems as possible in what appears to be an opportunistic manner. While the group does not have any specific targets, most victims are in the US and appear to be individuals prone to downloading game-cracking software and similar "grey-area software," Mehta said.
Software developers use code-signing certificates from trusted authorities to sign executable code to validate their identities and confirm the software is legitimate. Browsers, malware detection tools, and operating systems use these signatures to verify whether a particular piece of code can be trusted to run in the environment. For quite some time, attackers have used stolen or otherwise illegally obtained digital certificates to bypass malware detection tools and extend the ability of their malware to stay undetected on compromised systems and networks.
In one recent incident, Microsoft itself inadvertently signed a malicious driver submitted for validation through its Windows Hardware Compatibility Program (WHCP). The signed driver, called "Netfilter," was distributed within gaming environments in China and basically gave Chinese gamers a way to spoof their geolocation to be able to play from anywhere. The incident prompted Microsoft to announce a change in its processes and policies for vetting drivers submitted by third parties through WHCP.
In other instances, attackers have snuck malicious code past detection systems by embedding the code into digitally signed, trusted software components. The most notable recent example is the attack on SolarWinds, in which threat actors hid a Trojan in signed updates of the company's Orion software.
What's different with OpenSUpdater is its use of a deliberately malformed signature to evade detection. Since at least mid-August, the author of the malware has been signing OpenSUpdater samples with a signature that has been edited in a way that OpenSSL-based security products cannot parse or decode. Groups of OpenSUpdater samples have been observed to be signed with the same malformed signature.
"Security products using OpenSSL to extract signature information will reject this encoding as invalid," Mehta said. "However, to a parser that permits these encodings, the digital signature of the binary will otherwise appear legitimate and valid."
Since the Windows operating system treats the signature as valid, Google has reported the issue to Microsoft, he said.
According to Mehta, this is the first time that Google's TAG has observed a threat actor using a deliberately malformed digital signature to evade malware detection tools.
"Since first discovering this activity, OpenSUpdater's authors have tried other variations on invalid encodings to further evade detection," Mehta said, without offering any other details.