- Apr 9, 2020
- 667
SmoothOperator abuses Microsoft Authenticode signatures to seem valid. Here is an explanation how it works and how to detect it in files.
AnalysePESig: Authenticode Tools
SigFlip: GitHub - med0x2e/SigFlip: SigFlip is a tool for patching authenticode signed PE files (exe, dll, sys ..etc) without invalidating or breaking the existing signature.
Sysinternals: Sysinternals Suite - Sysinternals
Using unauthenticated data inside authenticode signed binaries: Caveats for Authenticode Code Signing - IEInternals - Site Home - MSDN Blogs
00:00 Intro
00:37 Signature verification
02:09 SigFlip and SigLoader
03:05 Ways to hide data in authenticode structures
06:00 Detecting hidden authenticode data
08:11 Why this still works
09:05 Outro