Counterfeit digital certificates for sale on underground forums (Signing malicious code)

[LASER_oneXM]

Signing malicious code with valid digital certificates is a helpful trick used by attackers to maximize the odds that malware won’t be flagged by antivirus solutions and often even by network security appliances.

Digitally signed malware can also bypass OS protection mechanisms that install or launch only programs with valid signatures.

As it happens, it has recently been pointed out that the practice of signing malicious code is more widespread than previously thought.

But, while there’s a general assumption (granted, backed by many instances) that attackers prefer using stolen certificates to sign their malicious payloads, Recorded Future researchers have discovered that, for the last couple of years, a few underground vendors have been offering legitimately issued code signing certificates and domain name registration with accompanying SSL certificates

The vendors
“C@T,” one of the first providers of this commodity, started in early 2015, and sold Microsoft Authenticode capable of signing 32/64b versions of various executable files, as well as Microsoft Office, Microsoft VBA, Netscape Object Signing, and Marimba Channel Signing documents, and supported Silverlight 4 applications. He apparently even sold Apple code signing certificates.

“In his advertisement, C@T explained that the certificates are registered under legitimate corporations and issued by Comodo, Thawte, and Symantec — the largest and most respected issuers,” the researchers shared.