{
	"id": "384dbab0-f9f3-41b0-a756-4db3f3c81dc0",
	"created_at": "2026-04-10T03:20:55.169183Z",
	"updated_at": "2026-04-10T03:22:18.643781Z",
	"deleted_at": null,
	"sha1_hash": "2d0ded48f63f8587a4e65781b918d3b8ae3f6931",
	"title": "Financially motivated actor breaks certificate parsing to avoid detection",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 40403,
	"plain_text": "Financially motivated actor breaks certificate parsing to avoid\r\ndetection\r\nBy Neel Mehta\r\nPublished: 2021-09-23 · Archived: 2026-04-10 02:21:46 UTC\r\nIntroduction\r\nGoogle’s Threat Analysis Group tracks actors involved in disinformation campaigns, government backed hacking, and\r\nfinancially motivated abuse. Understanding the techniques used by attackers helps us counter these threats effectively.\r\nThis blog post is intended to highlight a new evasion technique we identified, which is currently being used by a\r\nfinancially motivated threat actor to avoid detection.\r\nAttackers often rely on varying behaviors between different systems to gain access. For instance, attacker’s may\r\nbypass filtering by convincing a mail gateway that a document is benign so the computer treats it as an executable\r\nprogram. In the case of the attack outlined below, we see that attackers created malformed code signatures that are\r\ntreated as valid by Windows but are not able to be decoded or checked by OpenSSL code — which is used in a number\r\nof security scanning products. We believe this is a technique the attacker is using to evade detection rules.\r\nTechnical Details\r\nCode signatures on Windows executables provide guarantees about the integrity of a signed executable, as well as\r\ninformation about the identity of the signer. Attackers who are able to obscure their identity in signatures without\r\naffecting the integrity of the signature can avoid detection longer and extend the lifetime of their code-signing\r\ncertificates to infect more systems.\r\nOpenSUpdater, a known family of unwanted software which violates our policies and is harmful to the user\r\nexperience, is used to download and install other suspicious programs.The actor behind OpenSUpdater tries to infect\r\nas many users as possible and while they do not have specific targeting, most targets appear to be within the United\r\nStates and prone to downloading game cracks and grey-area software.\r\nGroups of OpenSUpdater samples are often signed with the same code-signing certificate, obtained from a legitimate\r\ncertificate authority. Since mid-August, OpenSUpdater samples have carried an invalid signature, and further\r\ninvestigation showed this was a deliberate attempt to evade detection. In these new samples, the signature was edited\r\nsuch that an End of Content (EOC) marker replaced a NULL tag for the 'parameters' element of the\r\nSignatureAlgorithm signing the leaf X.509 certificate.\r\nEOC markers terminate indefinite-length encodings, but in this case an EOC is used within a definite-length encoding\r\n(l= 13). \r\nBytes: 30 0D 06 09 2A 86 48 86  F7 0D 01 01 0B 00 00 \r\nDecodes to the following elements:\r\nSEQUENCE (2 elem)\r\nhttps://blog.google/threat-analysis-group/financially-motivated-actor-breaks-certificate-parsing-avoid-detection/\r\nPage 1 of 2\n\nOBJECT IDENTIFIER 1.2.840.113549.1.1.11 sha256WithRSAEncryption (PKCS #1)\r\nEOC\r\nSecurity products using OpenSSL to extract signature information will reject this encoding as invalid. However, to a\r\nparser that permits these encodings, the digital signature of the binary will otherwise appear legitimate and valid. This\r\nis the first time TAG has observed actors using this technique to evade detection while preserving a valid digital\r\nsignature on PE files. \r\nAs shown in the following screenshot, the signature is considered to be valid by the Windows operating system. This\r\nissue has been reported to Microsoft.\r\nSince first discovering this activity, OpenSUpdater's authors have tried other variations on invalid encodings to further\r\nevade detection.\r\nThe following are samples using this evasion:\r\nhttps://www.virustotal.com/gui/file/5094028a0afb4d4a3d8fa82b613c0e59d31450d6c75ed96ded02be1e9db8104f/detection\r\nNew variant:\r\nhttps://www.virustotal.com/gui/file/5c0ff7b23457078c9d0cbe186f1d05bfd573eb555baa1bf4a45e1b79c8c575db/detection\r\nOur team is working in collaboration with Google Safe Browsing to protect users from downloading and executing\r\nthis family of unwanted software. Users are encouraged to only download and install software from reputable and\r\ntrustworthy sources.\r\nSource: https://blog.google/threat-analysis-group/financially-motivated-actor-breaks-certificate-parsing-avoid-detection/\r\nhttps://blog.google/threat-analysis-group/financially-motivated-actor-breaks-certificate-parsing-avoid-detection/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.google/threat-analysis-group/financially-motivated-actor-breaks-certificate-parsing-avoid-detection/"
	],
	"report_names": [
		"financially-motivated-actor-breaks-certificate-parsing-avoid-detection"
	],
	"threat_actors": [],
	"ts_created_at": 1775791255,
	"ts_updated_at": 1775791338,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2d0ded48f63f8587a4e65781b918d3b8ae3f6931.pdf",
		"text": "https://archive.orkl.eu/2d0ded48f63f8587a4e65781b918d3b8ae3f6931.txt",
		"img": "https://archive.orkl.eu/2d0ded48f63f8587a4e65781b918d3b8ae3f6931.jpg"
	}
}