Posted on September 25, 2021 at 5:00 PM

Google Issues Report on How Hackers are Hiding Malware on Windows

Google’s Threat Analysis Group has issued a report detailing how hackers are using malware that can remain hidden on Windows devices, hence compromising a device without the user noticing it.

The report stated that one of the core factors that can help enhance cyber security efforts is understanding the strategies used by these hackers and finding the best way possible of handling these attacks.

New Evasion Technique

In the blog post, Google detailed how hackers are using a new evasion technique used by hackers who have the financial motivation to conduct an attack while avoiding detection.

Threat actors usually use various techniques to gain access to a target device. One of the strategies used is convincing the mail gateway that a document is not foreign; hence the device will execute the said program.

The recent technique used by hackers shows that the threat actors developed a malformed code signature that Windows will later treat as valid. However, these signatures will not be decoded by the device or inspected by the OpenSSL code, a program used in scanning products for security purposes. By using this technique, a hacker can avoid detection, and they can therefore go about their business unperturbed.

How it Works

Windows devices use code signatures to authenticate the security of an executable program. It also checks the details of the signer. However, attackers have come up with ways to hide their identity in the signature so that the device does not detect it as a security threat.

The hackers hide their signature without compromising the authenticity of the code signature so that any alterations will not be detected. Furthermore, they increase the lifetime of the code-signing certificates, which allows them to compromise more devices and systems.

One of the programs that the report pointed out was the OpenSUpdater. This is unwanted software on devices, which is not authorized by Google and can harm target devices. This software is used to download and install suspicious programs on a device and thereby compromising user experience.

The report also noted that the threat actors behind this unwanted software have a target of infecting as many users as possible. However, Google noted that the software does not have any pattern that shows who their intended targets are. Going by the past data shows that most of the people who are prone to attacks using this software are located in the United States. Furthermore, they are people who download game cracks and other suspicious software.

Samples collected from devices that use the OpenSUpdater shows that the code signatures usually carry the same code. The report further noted that the code-signing certificate is acquired from a legitimate certificate authority, making it hard for the device to detect the signature as suspicious.

Google further added that the software had been used to conduct attacks since mid-August after several OpenSUpdater samples were collected, containing falsified signatures. Further investigations on the matter showed there was a deliberate attempt by the software to operate while avoiding detection.

The samples collected by Google showed that “The signature was edited such that an End of Content (EOC) marker replaced a NULL tag for the ‘parameters’ element of the SigantureAlgorithm signing the leaf X.509 certificate.”

“EOC markets terminate indefinite-length encodings, but in this case, an EOC is used within a definite-length encoding (1= 13),” the report added.

Google further stated that security products implementing the OpenSSL to gain access to signature information would no longer accept the encoding as valid. However, it noted that a user is still not fully protected because the code signature used by the binary will still be read as legitimate and valid.

“This is the first time TAG has observed actors using this technique to evade detection whole preserving a valid digital signature on PE files.” Google also added that “the signature is considered to be valid by the Windows operating system.” This shows that the malware can compromise users without them detecting it.

Google stated that the evasive technique and the malicious software being used has already been reported to Microsoft. However, Google stated that when the activity was discovered, OpenSUpdater developed other software variations to avoid detection.

Google also admitted that it was working closely with Google Safe Browsing to protect users from downloading this software and prevent it from being executed on their devices. Google further encouraged those using Windows devices and other computer systems to obtain software only from genuine and trustworthy sources. Hence, protecting oneself from these evasive techniques doubles down on general internet browsing safety techniques.