Security researchers have discovered hackers developing malformed code signatures seen as valid in Windows to avoid security software detection.
Researchers at Google’s Threat Analysis Group found the hackers used the techniques to install OpenSUpdater. They then use the software to download and install other suspicious programs.
“The actor behind OpenSUpdater tries to infect as many users as possible and while they do not have specific targeting, most targets appear to be within the United States and prone to downloading game cracks and grey-area software,” said Neel Mehta, a security researcher at Google.
About a month ago, Mehta found that OpenSUpdater developers started signing samples with legitimate but intentionally malformed certificates. The samples were uploaded to VirusTotal as far back as mid-August, and Windows accepted them. OpenSSL, however, rejected them.
In these new samples, hackers edited the signature so an end-of-content (EOC) marker replaced a NULL tag for the “parameters” element of the SignatureAlgorithm signing the leaf X.509 certificate.
EOC markers terminate indefinite-length encodings, but in this case, an EOC is used within a definite-length encoding.
“Security products using OpenSSL to extract signature information will reject this encoding as invalid. However, to a parser that permits these encodings, the digital signature of the binary will otherwise appear legitimate and valid,” said Mehta.
Managing security and risk across the IT supply chain: A practical approach
Best practices for IT supply chain security
Mehta said this was the first time his researchers observed hackers using this technique to evade detection while preserving a valid digital signature on PE files.
"Since first discovering this activity, OpenSUpdater's authors have tried other variations on invalid encodings to further evade detection," Mehta added.
Upon discovering the issue, Mehta reported to Microsoft to investigate. Mehta’s team is currently working the Google Safe Browsing to protect users from downloading and executing this unwanted software. He stressed users should only download and install software from reputable and trustworthy sources.
OpenSSL, a widely used encryption software library, itself has been the subject of flaws. As reported in April, a severe flaw that could have allowed hackers to crash many servers was patched. The update, OpenSSL 1.1.1k, fixed two severe bugs, including CVE-2021-3449, which could have been exploited by hackers to deliberately crash vulnerable web servers or email servers at will, causing a looped denial of service (DoS) situation.
