Connect with us

Hi, what are you looking for?


Malware & Threats

Researchers Hide Malware Inside Digitally Signed Executables

Cybercriminals can pack malware into digitally signed executables without breaking the signature, thus avoiding anti-virus detection, researchers say.

Cybercriminals can pack malware into digitally signed executables without breaking the signature, thus avoiding anti-virus detection, researchers say.

In a whitepaper presented at Black Hat USA 2016, Deep Instinct researchers reveal that it is possible to hide a malicious file with the ability to be executed within a file without breaking the normal PE (packed executable) execution (basically, without encrypting the main sections of the file).

Malware authors are constantly seeking means to evade detection and prevention solutions, and they frequently use packers and encryption techniques for that, because security solutions are efficient only if they can unpack the compressed or encrypted malicious content. Packed and encrypted files can be identified both on disk and during execution, but the researchers say that their newly discovered technique prevents that.

Packers, or compressors, were created to reduce the size of files on disk, but also to make reverse engineering of executables more difficult. However, although they were intended for good, packers soon became tools for malware creators, and researchers estimate that up to 80% of malware is obfuscated with packers and compression techniques.

While most actors use known packers, which also have unpackers that security solutions might use before scanning files, there are also developers of malicious applications who use custom packers and obfuscation techniques unknown to security vendors.

To determine the location and size of the attribute certificate table, Windows reads the VirtualAddress and Size members of the IMAGE_DATA_DIRECTORY item. The size is also mentioned at the beginning of the attribute certificate table, the researchers explain in their whitepaper. Moreover, Windows uses Authenticode to determine the origin and integrity of software binaries, and X.509 v3 certificates to bind an Authenticode-signed binary to the identity of a software publisher.

To validate the integrity of the file and make sure it hasn’t been tampered with, Windows also calculates its hash and compares it with the hash mentioned in SignedData structure. However, researchers discovered that, because Windows excludes three fields from hash calculation, namely Checksum, IMAGE_DIRECTORY_ENTRY_SECURITY entry in the DataDirectory, and the attribute certificate table itself, code can be injected without altering the certificate’s validity.

Advertisement. Scroll to continue reading.

“Because Windows excludes the fields mentioned above from the hash calculations, we can inject data to the certificate table without damaging the validity of the file’s certificate. By appending malicious content to the end of the certificate table and modifying the relevant fields accordingly (Size [Both in DataDirectory[IMAGE_DIRECTORY_ENTRY_SECURITY] and in WIN_CERTIFICATE] and CheckSum), we can modify the file without harming the validity of the certificate,” researchers say.

According to the researchers, this injection method allows for a malicious file to pass anti-virus verification even if it is not encrypted. The malware isn’t part of the execution process, which prevents anti-malware solutions from detecting it even when the signed file was executed. “This way, we are able to hide malicious content in files across windows file system, without being identified,” researchers say.

The Deep Instinct researchers were also able to create a Reflective PE Loader to run PE files directly from memory, because they didn’t have the ability to execute code from the certificate section. Furthermore, they also documented how other researchers can replicate the PE execution process on their own. However, their working POC still has three limitations, as it doesn’t run on 64-bit systems, doesn’t support DLL Forwarding, and the Host Process is closed when closing  Payload  PE, because it uses ExitProcess.

“Malware developers and hackers are constantly searching for advanced techniques to bypass security solutions by steering away from the classic structure of packers where everything is located in one file. This includes finding ways that are not dependent on each other and connecting them. By adopting an attacker’s mindset, the security industry can creatively identify attack vectors and flaws, offering better protection,” the researchers conclude.

Related: “Poweliks” Malware Uses Windows Registry to Avoid Detection

Related: VirusTotal Policy Change Rocks Anti-Malware Industry

Related: Dell Unveils Solution to Detect Evasive Malware

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...