Skip to main content
banner image
venafi logo

How Are Cybercriminals Sneaking Past Malware Detection Tools?

How Are Cybercriminals Sneaking Past Malware Detection Tools?

September 27, 2021 | Alexa Hernandez

In keeping with the latest rise of encryption attacks, Google’s Threat Analysis Group (TAG) have just uncovered a new technique threat actors can employ to sneak malware, adware, and other malicious software past trusted malware detection tools.

Users of Windows Internet Information Services (IIS), a Microsoft Windows web server, are being targeted with false notifications warning of an expired certificate that encourages users to download the malicious fake installer. How is this possible, and what can you do to protect your organization from these kinds of attacks?

Are Your Machine Identities Secure? Switch to Automation Today!

Neel Mehta, Google researcher, has surmised that the cybercriminals are able to trick Microsoft’s malware detection by means of a software code-signing certificate from a legitimate certificate authority. It creates signatures Windows will accept as valid, but that can’t be inspected by OpenSSL code security tools.

The phony security notification tells users that they have to “update a security certificate” and then installs malware disguised as Virus Total, which is signed with a DigiCert certificate.

What is really being installed? TVRAT, also known as TeamSpy and Team Viewer RAT, a malware that grants its installers complete remote access to the infected machine. Attackers have been using stolen digital certificates to evade malware detection tools for a while now, for example in the recent SolarWinds attack.

In this instance, the cybercriminals are using a deliberately distorted signature that OpenSSL-based security products cannot decode. Neel Mehta said, "Security products using OpenSSL to extract signature information will reject this encoding as invalid. However, to a parser that permits these encodings, the digital signature of the binary will otherwise appear legitimate and valid." 

Google TAG reported the issue to Microsoft because, as Mehta points out, the Windows operating system treats it as valid.

How can I keep my network secure?

One of the biggest steps your organization can take to protect your machine identities is to automate your certificate management strategy. How? Venafi Trust Protect Platform allows complete visibility into your network, allowing you to immediately identify and react to potential threats!

Related Posts

Like this blog? We think you will love this.
Featured Blog

What Is IP Spoofing?

What is IP Spoofing?

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Alexa Hernandez
Alexa Hernandez

Alexa is the Web Marketing Specialist at Venafi.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more