Counterfeit code-signing certificates are being hawked on underground markets to malware makers and the problem is getting worse.
The counterfeit certificates can be used to as part of a strategy to avoid detection, particularly by operating systems and anti-virus software, which check the certificate before enabling an application is installed.
That's according to Andrei Barysevich, director of threat intelligence company Recorded Future, who notes "a sudden increase in code signing certificates being used as a layered obfuscation technique for malicious payload distribution campaigns".
Rather than using stolen digital certificates - of which there are plenty following a spate of thefts - malware writers are using counterfeit certificates instead because they are cheaper.
For example, stolen certificates were used by the Stuxnet worm, linked to US intelligence agencies, to penetrate and sabotage Iran's covert nuclear development program.
"The most affordable version of a code signing certificate costs $299, but the most comprehensive Extended Validation (EV) certificate with a SmartScreen reputation rating is listed for $1,599. The starting price of a domain name registration with EV SSL certificate is $349," claimed Barysevich in his report. (PDF)
These certificates, he adds, all appear to be issued by reputable digital certificate providers, presumably unaware that their data has been contributing to malware makers' activities.
Barysevich believes the problem has been getting worse since the first counterfeit code-signing certificates were identified for sale in March 2015, by someone known only as [email protected], a member of hacking messaging board.
"[email protected] offered for sale a Microsoft Authenticode capable of signing 32/64b versions of various executable files, as well as Microsoft Office, Microsoft VBA, Netscape Object Signing, and Marimba Channel Signing documents, and supported Silverlight 4 applications. Additionally, Apple code signing certificates were also available," reports Barysevich.
His certificates were registered and issued by Comodo, Thawte and Symantec. [email protected] claimed to have sold more than 60 certificates in less than six months - despite demanding $1,000 or more per certificate.
"Approximately two years later, three new actors began offering their services primarily in the Eastern European underground. While one actor eventually moved on to other illicit operations, the remaining two actors still actively supply counterfeit certificates to Russian-speaking actors," warned Barysevich.
Insikt Group conducted a trial with a counterfeit certificate, he noted, signing a previously unreported remote access Trojan with a counterfeit Comodo certificate.
"Despite that test-subject files were encrypted beforehand, the results of the test demonstrated the superior effectiveness of code signed versions," claimed Barysevich, and only two anti-virus software packages detected the encrypted, code-signed malware, out of eight that identified the same encrypted malware that had not been code-signed.
Code signing, the Certificate Authority Security Council explains (PDF), is the process of digitally signing executables and scripts to confirm the identity of the software author and guarantee that the code has not been altered or corrupted since it was signed. Publicly trusted certification authorities (CAs) confirm signers' identities and bind their public key to a code signing certificate.
Use the same password for every website? It might be time to change them all
Applicants for parking bay suspensions put at risk of credit card fraud by Islington Council
Robert Swan appointed interim CEO after Brian Krzanich's departure
Should you link your data sets to add value, or leave them separate to reduce risk?