Select Page

Cybersecurity researchers have disclosed a novel technique adopted by a threat actor to deliberately evade detection with the help of malformed digital signatures of its malware payloads.

“Attackers created malformed code signatures that are treated as valid by Windows but are not able to be decoded or checked by OpenSSL code — which is used in a number of security scanning products,” Google Threat Analysis Group’s Neel Mehta said in a write-up published on Thursday.

The new mechanism was observed to be exploited by a notorious family of unwanted software known as OpenSUpdater that’s used to download and install other suspicious programs on compromised systems. Most targets of the campaign are users located in the U.S. who are prone to downloading cracked versions of games and other grey-area software.

The findings come from a set of OpenSUpdater samples uploaded to VirusTotal at least since mid-August.

While adversaries in the past have relied on illegally obtained digital certificates to sneak adware and other unwanted software past malware detection tools or by embedding the attack code into digitally signed, trusted software components by poisoning the software supply chain, OpenSUpdater stands out for its intentional use of malformed signature to slip through defenses.

images from Hacker News