Malware hidden in digitally signed executables can bypass AV protection

Researchers have shown that it’s possible to hide malicious code in digitally signed executables without invalidating the certificate, and execute this code – all without triggering AV solutions.

Tom Nipravsky, from Tel Aviv-based Deep Instinct, presented the results of their research at Black Hat USA 2016, but didn’t release PoC code as it would be too dangerous.

Injecting malware into digitally signed executables

To perform a successful attack, Deep Instinct researchers had to create two portable executable (PE) files: a malicious one that will conceal malware within itself, and a benign one that will execute it from memory.

“Windows is using Authenticode in order to determine the origin and integrity of software binaries, and it is based on Public-Key Cryptography Standards (PCKS) #7 while using X.509 v3 certificates to bind an Authenticode-signed binary to the identity of a software publisher,” they explained.

“In order to validate the integrity of the file and make sure it hasn’t been tampered with, it calculates the hash (excluding 3 fields – Checksum, IMAGE_DIRECTORY_ENTRY_SECURITY entry in the DataDirectory, and the attribute certificate table itself) and compare the result against the hash mentioned in the SignedData structure in PKCS #7 (if the two are different, the code has been changed, and the digital signature becomes invalid).”

The fact that Windows excludes those three fields from the hash calculations allowed the researchers to inject malicious code into the certificate table and modify the rest of the fields without invalidating the certificate.

“All the security solutions we have checked did not recognize the file as a malicious one even when the malicious file was not encrypted. Since the embedded malware is not part of the execution process, those solutions did not identify the malicious content even upon execution of the signed file,” they noted.

The creation of the benign executable was more difficult, as they first had to research how Windows executes PEs, but they were ultimately relatively successful: they created a functional Reflective PE Loader that executes PE files directly from memory without leaving marks or any trace of the action on the disk or running processes, but with some limitations.

More technical details about executables, packers and their research can be found in this whitepaper.

“Malware developers and hackers are constantly searching for advanced techniques to bypass security solutions by steering away from the classic structure of packers where everything is located in one file. This includes finding ways that are not dependent on each other and connecting them,” they noted.

They believe that this certificate bypass is a valid technique that can be easily adopted by malware authors.