Researchers have discovered that financially motivated threat actors are now using new code signing techniques to avoid detection in Windows systems. The technique is recently observed in OpenSUpdater attacks that inject ads into victims' browsers when they are attempting to download pirated applications.

What has happened?

Spotted by Google researchers, the recent operation has targeted numerous users in the U.S., especially individuals who are looking for game cracks, grey-area software, or pirated software.
  • In August, the tech giant discovered that the operators of OpenSUpdater are signing their files with code-signing certificates issued by a genuine certificate authority but with some modification.
  • In the modified samples of OpenSUpdater, the End of Content marker took the place of a NULL tag for the parameters element of the SignatureAlgorithm that signs the leaf X.509 certificate.
  • Such a signature is considered invalid by security solutions that use OpenSSL but the Windows operating system marks the signature as valid, allowing attackers to penetrate machines.

Additional insights

  • Google TAG is reportedly working in tandem with Google Safe Browsing to ensure user safety.
  • Meanwhile, the findings were shared with the Microsoft team and, as per the latest update, Microsoft doesn’t identify this technique as a consequence of a security flaw. Hence, expect no patch update.
  • The team added that an attacker would not be successful in infecting devices via this technique and noted that Microsoft Defender Antivirus detects and removes OpenSUpdater.

Conclusion

Cybercriminals keep exploring new ways to stay ahead in their game and make it harder to be spotted, mostly by targeting user’s interest in cracked or pirated software. This incident further highlights the importance of sticking to genuine products and not risk security.

Cyware Publisher

Publisher

Cyware