Certificate Bypass: Hiding and Executing Malware from a Digitally Signed Executable

by Tom Nipravsky
Sept. 15, 2017 1 comment www.blackhat.com belen_caty Encryption & Authentication bypass

Malware developers are constantly looking for new ways to evade the detection and prevention capabilities of security solutions. In recent years, we have seen many different tools, such as packers and new encryption techniques, help malware reach this goal of hiding the malicious code. If the security solution cannot unpack the compressed or encrypted malicious content (or at least unpack it dynamically), then the security solution will not be able to identify that it is facing malware. To further complicate the matter, we present a new technique for hiding malware (encrypted and unencrypted) inside a digitally signed file (while still keeping the file with a valid certificate) and executing it from the memory, using a benign executable (which acts as a reflective EXE loader, written from scratch). Our research demonstrates our Certificate Bypass tool and the Reflective EXE Loader. During the presentation, we will focus on the research we conducted on the PE file structure.


Steven Ulm 8 months ago

They find more complicated methods each day. Sometimes it is even hard to follow-up with them...