Analysis of New MD5 Collision Malware and Its Attack Techniques

Overview – After the MD5 algorithm was broken, researchers observed a continuous stream of MD5‑collision‑based malware. A specific threat actor began using a novel chosen‑prefix collision technique in early 2014, which later evolved to incorporate digital signatures and dual‑signature evasion methods.

New Collision Characteristics – Unlike early prefix‑construction collisions that produced two files differing only in a few trailing bytes, the new method creates two completely different programs (a benign one and a malicious one) that share the same MD5 hash. This is achieved by selecting two distinct prefixes and appending specially crafted suffixes, a process based on the chosen‑prefix collision algorithm.

Signature Utilization – The attacker embeds valid digital signatures (especially in signed MSI packages) into the colliding files. Because MSI files allow arbitrary data to be appended without breaking the signature, the malicious payload retains a seemingly valid signature, greatly increasing its stealth against security products.

Dual‑Signature Verification – In late 2015 the threat actor introduced samples that contain two signatures: an invalid one visible on unpatched Windows 7 systems and a valid one that becomes visible after a system update adds dual‑signature support. This exploits verification logic that assumes a single signature, allowing the malicious signature to be accepted on updated systems.

Attack Flow Analysis – A typical infection chain starts with an NSIS‑packed installer that checks the execution environment (process name, parent process, etc.). When conditions are met, the installer silently downloads an encrypted ZIP, extracts a malicious MSI, runs a signed root‑certificate update tool to inject a forged CA certificate, and finally launches a malicious PE payload injected into a svchost‑like process. The payload then performs further actions such as browser hijacking.

Propagation and Impact – The campaign peaked in May 2015, affecting over 5.5 million users nationwide, with Guangdong province accounting for more than 600 k infections. Distribution channels included rogue software bundles, legitimate download sites, file‑sharing services, and the attacker’s own website. Security products like 360 Security eventually began detecting and blocking these samples.