Google TAG spotted actors using new code signing tricks to evade detection

Pierluigi Paganini September 26, 2021

Researchers from Google’s TAG team reported that financially motivated actors are using new code signing tricks to evade detection.

Researchers from Google’s Threat Analysis Group reported that financially motivated actors are using new code signing tricks to evade detection.

By code signing executables, it is possible to verify their integrity and provide information about the identity of the signer.

The experts noticed that the technique was employed by operators behind OpenSUpdater, which is a known family of unwanted software 

The threat actors aimed at infecting as many users as possible, most of their targets appear to be US users interested in downloading game cracks and grey-area software.

The researchers noticed that OpenSUpdater samples were often signed with the same code-signing certificate, but since mid-August, they noticed that the executables had an invalid signature.

Further investigation revealed that that the invalid signature was used in the attempt to evade detection. I

“In these new samples, the signature was edited such that an End of Content (EOC) marker replaced a NULL tag for the ‘parameters’ element of the SignatureAlgorithm signing the leaf X.509 certificate.” read the analysis published by Google TAG. “In these new samples, the signature was edited such that an End of Content (EOC) marker replaced a NULL tag for the ‘parameters’ element of the SignatureAlgorithm signing the leaf X.509 certificate. EOC markers terminate indefinite-length encodings, but in this case an EOC is used within a definite-length encoding (l= 13).”

The researchers explained that security products using OpenSSL to extract signature information will consider this encoding invalid. However, some parsers consider valid these encodings allowing to validate the digital signature of the executables, this is what happens in Windows operating system.

code signing trick

Experts explained that this is the first time it has spotted attackers using this technique to evade detection.

OpenSUpdater’s authors have employed different variations on invalid encodings over time to evade detection.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, code signing)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment