Google catches hackers using new technique to make malware
One of Google's Threat Analysis group Research officers Neel Mehta, specializing in research in hacking and electronic frauds claims in a report that a new technique of changing digital signatures of files is now being used to evade detection from the windows security systems.
According to Neel, this technique was developed by a known family of unwanted software named as OpenSUdater. The developers behind OpenSUdater tried to hide their identity by creating malformed code signatures that are valid for windows but cannot be decoded or be checked by OpenSSL code.
This method is challenging to understand by the users who don't know about this kind of attack. Adding more, Mehta refers to a tiny edit made by OpenSUdater in a small field inside the digital signature of their payloads.
Table of Contents
Before talking about the technical details, it is necessary to know the background of the unwanted software and the method used to compromise the system.
OpenSUdater has a great hype in the tech industry for a couple of years as he has been caught being involved in hacking the pillars of the industry, including Microsoft, Google, etc. According to research OpenSUdater, most attacks were targeted in the U.S., and their domain was prone to downloading game cracks and another grey area software. Now this time, they came up with this unique technique of hiding identity in signatures.
Digital Signatures are a mathematical scheme for verifying the authenticity of documents. It verifies either the sender or the source file is real or duplicate.
Three simple steps to verify the digital signature:
- Open the properties bar of the file to be checked by pressing right-click on the file.
- Select the digital signatures to tab in the properties menu of the window from the upper row.
- A tab displaying information against the filename will be shown, which will result in the authentication of the file.
In the above scenario, the threat actors behind the OpenSUdater can avoid detection if they can hide their identity in signatures.
Neel Mehta shared an image showing that the malicious file is accepted as a valid file by the Windows operating system, thus completing the attack.
Image source - google.com
Moreover, the Google Reacher Officer also explains the point through which he detected the Malware.
During the Investigation, It was found that groups of OpenSUdater samples are typically signed with the same code-signing certificate, which was obtained from a legitimate certificate source. Still, since August, the OpenSUdater samples have carried an invalid signature. By this addition, the expert's team knew that this is the technique attackers are using to avoid detection.
Neel Metha mentioned that the samples that are signed with an invalid leaf X.509 certificate are edited so that the 'parameter' element of the Signature Algorithm field included an End Of content marker instead of a Null Tag.
He added that EOC markers consist of un-limited length encoding, but in this instance, an EOC is used within a definite length encoding (I = 13).
OpenSSL Code is software for applications that protect connections between computer networks and also verifies digital certificates. Most of the security devices are nowadays covered by OpenSSL Code.
According to the latest research OpenSLL Code, Protected devices can only detect this type of Malware. This security protocol does not accept encrypted signatures, so decoding the file signature and checking the signatures might detect the Malware and start giving warnings.
The Google Threat Analysis group also has declared OpenSSL code safe against the viral Malware.
It is a relief for the users who have to download Software’s or any cracked versions of games or other applications to enable the OpenSSL Code to browse safely.
Research Officer Neel Mehta reports that after detecting this activity, the developers of the unwanted software OpenSUdater had started testing other invalid codings to get over security protocols and hide their identity.
This news alarms Microsoft as well as the users that they are still vulnerable.
The Google research team has notified Microsoft and is working with them for the safety of the users. The Google experts also advised the users to only download and install software from reputable and trustworthy sources.
Neel Metha stated that the Google (TAG) team is collaborating with Google Safe Browsing to protect users from the attacks of this unwanted software family.
Hackers are using different techniques to exploit a large number of users across the globe.
They are attacking the world's most used operating system, which indicates they aim to take access to users across the world secretly. Google claims that firstly their main targets are the users from the U.S. It can create huge damage and can be poisonous for the users.