 Welcome to my analysis for hedgehogs in the last video. We checked smooth operator ffm pack the we analyze it marked it up and this Reads another deal which has a valid sign Certificate buying Microsoft. So This certificate is not stolen. It has been manipulated to put malicious data inside it without breaking it How does it work? This is a short explanation video on this topic Let's talk a little bit about our tenti code signature abuse now in the smooth operator supply chain attack We had the Trojan eyes ffm pack the deal on this was patched to execute malicious code and this code extracts data from D3D compiler 47 year now the interesting thing about this one it has a valid sign, so Let's check this You can see here few uses internal zig check.exe that it says it's verified sign and by Microsoft So in general such files have a higher trust value They are seen as more trusted than non-signed files, especially from a signer like Microsoft How does this work? We know there's malicious data in there. So how how did they do that? Generally people can either steal Certificates or they can manipulate them in a way that they are not broken. This is what happened here So remember we found this marker feed phase feed phase in the file That is what this ffm pack uses to know where the encrypted malicious data starts with a share code start When you search for that There's one tool that comes up called sick flip and I have I knew this tool But because it's not the first time that I've seen malware abusing it, but the interesting part here is that This code in the zigloader.cpp that is exactly the code in the ffm pack file They're pretty much doing the same that we analyzed So you can you can use this to check your analysis and I recommend that you also read The read me here if you check down below the detailed section it explains How it works how authentic what digital signatures work and how the tool abuses them But there's even one better article which is here. I did not found it on the Original msdm blog anymore, but it's still in the way a back machine and it it's an article about Authentic code signing and how it can be abused Legitimate applications also abuses especially personalized installers the mere fact that someone abuses Authentic code signatures to put their data inside is not an indicator that it's malicious and they the author explains here the Dropbox and Other applications they create personalized installers with data in them and they don't want to sign all of them With a new signature. So the way they do this is by what he describes. He is cheating authentic code There's a hash created on the PE file. Let's actually get a bigger picture of that the certificate data to verify that the file has not been manipulated they will calculate a hash and Then this hash is embedded in the certificate table and compared to the actual hash then at The point of checking if this is valid. So if anything changes inside of the White areas then the certificates not valid anymore However certain parts of the file must be excluded because they are part of the Certificate so that means specifically the Certific table and data directories the the windows check some and of course the certificate structures Themselves are not part of this hash anything that's put inside here will not break the signature and There is also the way to abuse this Because some of those structures provide a way to embed your own data Generally there are two ways for that known that are described here the first is the win certificate structure you can say that the length of the structure is just more than what it's currently is just manipulate the length and then add your data into that and secondly You can use unvalidated attributes or also unauthenticated attributes as it is called in the authentic code specification So this is all if you are interested in the details. I will put the link of this in the description below But anyways, you don't need to know all of the details How do you detect this kind of abuse there is a tool by Didier Stevens? It's called Where is the name analyze PE sick and this will show you if such abuse is happening here So we will execute this tool first on a file that is not Where this abuse this does not happen and that is the 3cx desktop app because that was validly signed This is what an application looks like where there's a normal authentic code signature. So just speak The Important fields are this one. This would be the padding that Would indicate if there's data after this After this win certificate structure so this should always be zero in our valid file and The same is where is it? This one this should also be zero Then it's fine. Now. Let's do the same for the d3d compiler the d3d compiler We know was manipulated here says it's a valid signature but you will see here bytes after the signature and Signatures bytes that are not zero. So this is an indicator that this was manipulated so get this tool and Check yourself. This is quite interesting by the way virus total will show such files not as validly signed there is also a Way to disable this in winners so that windows will show such files as not validly signed but this is still an opt-in and Nothing dead is done by default. So this is why this still works as an abuse The main reason is well when legitimate applications do it It's hard to just turn it off because it will break them and I found it even quite interesting Because I haven't seen that part before but it seems certain legitimate applications put Download well you are it's inside this data and then of course the matter authors will just abuse this as a matter of a Downloader by changing the URL. This was a interesting topic to dive into a bit deeper Please make sure to check the links in the description below to read the articles that I showed you briefly and Download the tools from there. So see you next time