Certificate Bypass: Hiding and Executing Malware from a Digitally Signed Executable

Malware developers are constantly looking out for new ways to evade the detection and prevention capabilities of security solutions.

A commonly used technique to achieve those goals is the usage of tools, such as packers and new encryption techniques, making the malicious code unreadable by security products.

If the security solution cannot unpack the compressed or encrypted malicious content (or at least unpack it dynamically), then the security solution will not be able to identify that it is facing malware. However, packed and encrypted files can be identified both on disk by their special characteristics and during file execution when the file content needs to be unpacked or decrypted.

In this paper the authors present a different evasion technique for malicious code that bypasses security vendors, both on the disk and during loading, by storing the malicious code inside signed files without invalidating the digital signature. It also evades detection during execution time, by using reflective EXE loading of the malicious code. Thus, the technique allows the execution of persistent malicious code to remain hidden from current software solutions.

Here is the link to full paper.