author photo
By Devon Warren-Kachelein
Sat | Sep 25, 2021 | 3:45 PM PDT

Whether it is ransomware, other types of malware, or any number of cyberattacks, threat actors keep inventing new techniques to cause disruption.

Google recently landed on one of these techniques while tracking hackers in this ongoing game of cat and mouse.

In a blog post, Neel Mehta, Information Security lead for Google, explains how a hacker has managed to break certificate code parsing to invade email inboxes and infect users with malware. Mehta wrote:

"Attackers often rely on varying behaviors between different systems to gain access. For instance, attackers may bypass filtering by convincing a mail gateway that a document is benign, so the computer treats it as an executable program.

In the case of the attack outlined [in our post], we see that attackers created malformed code signatures that are treated as valid by Windows but are not able to be decoded or checked by OpenSSL code—which is used in a number of security scanning products.

We believe this is a technique the attacker is using to evade detection rules."

Faking legitimate code signatures: how does it work? 

Google's Threat Analysis Group discovered a "financially motivated" bad actor is gaming the system in a key area of authentication:

"Code signatures on Windows executables provide guarantees about the integrity of a signed executable, as well as information about the identity of the signer."

This malign actor is now hiding their identity within a code signature, which helps them dodge detection longer:

"Attackers who are able to obscure their identity in signatures without affecting the integrity of the signature can avoid detection longer and extend the lifetime of their code-signing certificates to infect more systems," Mehta wrote.

This new hacking technique makes use of the OpenSUpdater software, a program developed for vicious purposes.

"The actor behind OpenSUpdater tries to infect as many users as possible and while they do not have specific targeting, most targets appear to be within the United States and prone to downloading game cracks and grey-area software."

According to Google, this actor began using this method in the summer of 2021.

"Since mid-August, OpenSUpdater samples have carried an invalid signature, and further investigation showed this was a deliberate attempt to evade detection. In these new samples, the signature was edited such that an End of Content (EOC) marker replaced a NULL tag for the 'parameters' element of the SignatureAlgorithm signing the leaf X.509 certificate."

Google's findings are another example of how attacks are ever-evolving, and there is always something new emerging on the threat landscape.

"This is the first time TAG has observed actors using this technique to evade detection while preserving a valid digital signature on PE files."

What other kinds of emerging threats are lurking in the wings? Read more of the details for yourself on Google's Threat Analysis Group blog.

[RESOURCE: Even the best organizations have weaknesses in their cybersecurity defense plan. Roger Grimes, an IT consultant with more than 30 years of experience, will present A Master Class on Cybersecurity: Data-Driver Defense on October 7th for SecureWorld. Register for insights and CPE credit.]  

Comments