Researchers have identified a new threat actor that is using impersonation fraud to purchase digital certificates that are then used for the spread of malware.
Security firm ReversingLabs identified a bad actor that deceives certificate authorities into selling them legitimate digital certificates by impersonating company executives, according to a blog post by chief architect and co-founder Tomislav Pericin. Once purchased, the bad actor sells the certificates on the black market for digitally signing malicious files, mainly adware, he said.
“Certificates are valuable resources to threat actors, as their mere presence can reduce the chance of early malware detection,” he wrote. “This is particularly true for financially motivated actors.”
ReversingLabs used public threat intelligence data to reconstruct the timeline of a fraudulent purchase of digital certifications, including the impersonation of a legitimate entity. That included proof that the bad actors provided the purchased certificates to a cybercrime group and that they were used to spread malware via signed malicious files, according to the post.
ReversingLabs identified cybercriminals duping certificate authorities by impersonating legitimate entities and then selling the certificates on the black market.