Cybersecurity researchers have disclosed a novel technique adopted by a threat actor to deliberately evade detection with the help of malformed digital signatures of its malware payloads.
The new mechanism was observed to be exploited by a notorious family of unwanted software known as OpenSUpdater that’s used to download and install other suspicious programs on compromised systems. Most targets of the campaign are users located in the U.S. who are prone to downloading cracked versions of hames and other grey-area software.
The malware, known as OpenSUpdater, is usually distributed through illegitimate websites that pose as legitimate software download portals. In most cases, it’s downloaded from a third-party source and installed to the local system with the “unattended installation” feature enabled without user consent.
In a bid to evade detection, the criminals take advantage of security flaws in the program’s digital signatures that are built into its executable files for identification purposes. The developers of OpenSUpdater use an erroneous procedure in generating the digital signature generator (DSA) keys by using an MD5 algorithm when generating signature hashes instead of using SHA-256.
In some instances, the cybercriminals generate DSA keys from a set of public and private keys stored in a Microsoft CryptoAPI Keycontainer. The researchers believe that the malformed signatures are designed to ensure that end-users don’t become suspicious and attempt to avoid installing software with such signatures.
To validate the authenticity of OpenSUpdater, its developers use a hacked digital signature feature associated with Windows’ CryptoAPI. The tool is programmed to display the real digital signature on its interface, but actually make use of a different one for generating them during installation.
Most users, however, are not even aware of the malformed signatures. Aside from allowing OpenSUpdater to evade detection by security solutions, the false signatures also enable its developers to save time and effort for setting up new campaigns.
“The creators of this malware would have invested considerable time and effort in finding the correct keys to sign their Trojan installer with multiple vendors’ Digital Signatures. However, by making use of the wrong key they were able to save both time and effort,” Trend Micro pointed out. “Moreover, since these keys are hard-coded into the malware itself, there is no need for them to retrieve them from anywhere else. This would make for a fast and effective way to produce malware regardless of the affected Windows version.”
When installed, OpenSUpdater runs as a process in the background and keeps checking for updates at specific intervals. However, the actual payload is executed only if the app is launched with elevated privileges. The malware then downloads and installs other unwanted programs such as Backdoor.Win32.Androm and Trojan:Win32/Rovnix onto compromised computers without user consent, enabling cybercriminals to gain complete control over compromised systems.
Trend Micro has notified Microsoft about its findings and also informed other vendors about this new threat actor’s evasion techniques to lessen the impact on users. The company also ensured that the new OpenSUpdater malware variant does not pose a threat to its users.
“Users of Trend Micro products are already protected from this threat via Trend Micro XGen™ security that detects and blocks this attack with the following generic detections: 1008906, 1008907, and 1008909. For users’ safety, we also recommend that they avoid getting into the habit of clicking on links and downloads from untrusted websites,” said Allan Liscio, Security Evangelist of Trend Micro’s Asia Pacific & Japan Office. “Meanwhile, businesses need to secure their systems against threats such as these by adopting a multi-layered security approach. We also encourage them to regularly update their software with the latest security patches.”
The artifacts are signed with an invalid leaf X.509 certificate that’s edited in such a manner that the ‘parameters’ element of the SignatureAlgorithm field included an End-of-Content (EOC) marker instead of a NULL tag. Although such encodings are rejected as invalid by-products using OpenSSL to retrieve signature information, checks on Windows systems would permit the file to be run without any security warnings.
Interested in reading more about malware and how it is affecting businesses today? Malware Variations – Sophisticated in 2021 discusses the malware seen in 2021 and how it has evolved and differed from malware from previous years.
If you would like liquidvideotechnologies.com to discuss developing your Home Security System, Networking, Access Control, Fire, IT consultant, or PCI Compliance, please do not hesitate to call us at 864-859-9848 or you can email us at email@example.com.