Malware Analysis [Video] 3CX SmoothOperator Authenticode Abuse


Thread author
Staff Member
Apr 9, 2020

SmoothOperator abuses Microsoft Authenticode signatures to seem valid. Here is an explanation how it works and how to detect it in files.

AnalysePESig: Authenticode Tools
SigFlip: GitHub - med0x2e/SigFlip: SigFlip is a tool for patching authenticode signed PE files (exe, dll, sys ..etc) without invalidating or breaking the existing signature.
Sysinternals: Sysinternals Suite - Sysinternals
Using unauthenticated data inside authenticode signed binaries: Caveats for Authenticode Code Signing - IEInternals - Site Home - MSDN Blogs

00:00 Intro
00:37 Signature verification
02:09 SigFlip and SigLoader
03:05 Ways to hide data in authenticode structures
06:00 Detecting hidden authenticode data
08:11 Why this still works
09:05 Outro

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.