Repurposed binary used to host malware

[WhosLogan]

It appears there's a new party trick wannabe hackers have been using to avoid AV detection.

They send out signed binaries (the same one compiled in either this repo or one similar) and swap out the executing dll. Since it's DotNet, that effectively allows them to abuse presigned binaries as a way to load their malware.

I have attached a screenshot of an example of this. While there may be nothing that can really be done (I haven't researched this extensively at all), it could potentially lead to the revocation of a certificate.

[Klocman]

Can you give me more details on how the exe is being used? Are they actually using it to uninstall some windows updates as it's designed, or is there some exploit that they use to run their own code?

The certificate will expire within a month either way but I'd like to resolve this before renewing.

[WhosLogan]

It appears they just swapped the primary DLL out so that the signed executable loads the malicious DLL. It was definitely malware although I’m not sure what it does since the remote server was offline.

They’re essentially just abusing the signed executable to gain initial trust when they load the DLL. I’m not sure what the solution to this would be other than to compile the binary as self contained to be honest.

[Klocman]

I can see the issue, the generated .NET executable does not care about the assembly signature/name and simply loads whatever has the same name but ending with .dll. This was not an issue back when BCU was using .NET Framework because strong names were enforced, but apparently the strong name checks were removed by design in .NET Core and newer.

I cannot find any working replacements short of writing my own loader .exe that verifies the assembly signature (with is very unlikely to happen), or refactoring/rewriting the entirety of BCU to be contained in a single .exe file (a monumental task, especially if I wanted trimming since that would require rewriting the UI too).

If anyone with more knowledge in signing .NET 5+ apps knows of a way to have a signed .exe which only loads signed .dlls, please let me know. (I cannot deploy as single file because of the large amount of .exe files and inability to use trimming since it's all winforms)

ref: https://learn.microsoft.com/en-us/dotnet/standard/assembly/strong-named#why-strong-name-your-assemblies

Since the signature expires within a week anyways I may simply not renew it for now, at least until I can find a viable solution.

[WhosLogan]

Honestly this doesn't sound like there's very many solutions to this. This is kind of a lose-lose situation. If I were you I might just ignore the problem and hope it goes away with something like this. I still feel like its better to sign the binary than to not.