Code-Signing: How Malware Gets a Free Pass

[harlan4096]

In an ideal world, something that is signed cannot not be altered. A signature implies that the signed item is trustworthy and unaltered. When it comes to signed files, things look a bit different: A signature does not always mean that everything is in order.

Code signing basics

Digitally signing a software - also referred to as “code signing” - is intended to certify a software’s authenticity. It is a method that provides a sense of assurance to the users that the software they are using is untampered with and true to its original design. Each digital signature is vouched for by an entity called “signers”. Like our personal handwritten signature, each digital signature is unique for each signer. It is also the signer’s duty to keep the signature secure so that no one else can use it without their consent.
 Other than software applications, digitally signing is also applicable to various file types such as MS Office documents (.doc/x, .ppt/x, .xls/x), images ( .bmp, .gif, .jpg, .png ),  and other digital documents like PDF and e-mails.

By design, modifying a digitally signed file will cause the signature to become invalid. Even a slightest change should invalidate its digital signature. Windows has also placed features such as Microsoft Defender SmartScreen and User Access Control (UAC) to warn users when running an application from an unknown publisher.

Tampered, but not broken

In January 2019, Virustotal[1], together with Microsoft, disclosed a vulnerability involving digitally signed Microsoft Installer files(.MSI).

Researchers had found out that the validity of a digitally signed MSI file will remain intact even after appending additional content to the end of the file. This poses a risk because it defeats the purpose of digitally signing applications. With its signature remaining valid even after tampering, this can be exploited by threat actors. By using a signed MSI file as a vector,malicious code can be planted on a system with little effort.

With “.msi” as its extension, the patched MSI file will still function as intended, ignoring the appended code. But a fitting dangerous use-case may happen if a Java Archive (JAR) file is appended on the digitally signed MSI file and was renamed as “.jar”. By default, files with the extension of “.jar” will be directly executed by Java thus allowing the appended code to run despite it being natively an MSI file.  This is because Java is designed to execute from “bottom to top”, which enables the Java-based code appended at the bottom of the MSI file to be executed.

Old frenemies

During the first quarter of 2020, we have seen several activities exploiting this known flaw for malicious activity. Targeting Windows users, the technique was seen to be used and abused on signed installers of Microsoft Silverlight to carry various types of JAVA-based malware. Silverlight is a framework for writing and running mobile and web-based applications, like Adobe Flash. It was developed by Microsoft and has been deprecated since its last release on January 15, 2019. Though it was tagged as deprecated, it is still available on their official page and is still used by some web services that uses it for streaming multimedia contents. It was used by Amazon and Netflix prior to moving to HTML5. Silverlight is packaged in a digitally signed MSI file, which makes it a suitable candidate for this kind of trickery.

This has been the case for multiple modified Silverlight installer we have seen in the wild. Hosted in various compromised websites, we have seen patched MSI files being distributed with “.jar” as extension. These patched installers were not distributed and labelled as an actual Silverlight installer, but rather as a phishing component.
...

Continue Reading