Volume of Signed Malware Increases, CAs Need Better Vetting

LASER_oneXM

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Feb 4, 2016
2,520
Content source
https://www.bleepingcomputer.com/news/security/volume-of-signed-malware-increases-cas-need-better-vetting/
Digitally signed threats with a valid certificate are no longer the mark of a nation-state, sophisticated attacker. The number of malware samples signed with a valid certificate found on VirusTotal is in the thousands.

Threats signed with a valid digital certificate are no longer the mark of a nation-state, sophisticated attacker and financial-driven cybercriminals are able to purchase code-signing certs either directly or indirectly from certificate authorities (CA) or their resellers.

Crims abuse certs from at least 13 CAs
A study from Chronicle security company reveals that 3,815 signed malware samples were uploaded to VirusTotal scanning service over a period of one year.

The investigation is by no means exhaustive as it focused only on Windows portable executable (PE) and excluded samples that had less than 15 detections on the platform. Furthermore, it filtered out files that were borderline malicious.

The list of CAs with abused certificates includes Sectigo, Thawte, VeriSign, Symantec, DigiCert, GlobalSign, WoSign, Go Daddy, WoTrus, GDCA, Certum, E-Tugra, and Entrust.
The results show that Sectigo, formerly Comodo, had issued the highest number of digital certificates, with close to 2,000 certs abused by malware authors to sign their code.
... ...
Click to expand...
 
  • Like
  • +Reputation
Reactions: Solarquest, Der.Reisende, upnorth and 4 others
upnorth

upnorth

Level 68
Verified
Top Poster
Malware Hunter
Well-known
Jul 27, 2015
5,458
Sectigo, formerly Comodo, had issued the highest number of digital certificates, with close to 2,000 certs abused by malware authors to sign their code. This should not come as a surprise as Sectigo is the largest commercial Certificate Authority (CA) and has plenty of resellers that could be tricked into issuing a certificate to the wrong party. Recently, the company announced a sponsorship for Let's Encrypt CA that offers free certificates for the public benefit. Code signing emerged as a method to guarantee the authenticity and integrity of the code running on a Windows machine. This allowed discerning between legitimate software and a potentially malicious one. All this relies on trust in the authority that issued the certificate. "The chain of trust is relatively straight-forward: certificates are signed (issued) by trusted certificate authorities (CAs) , which have the backing of a trusted parent CA. This inherited trust model is taken advantage of by malware authors who purchase certificates directly or via resellers,"
Click to expand...
better results are possible when buyers are verified more diligently.
Click to expand...
 
  • Like
Reactions: silversurfer, Solarquest, harlan4096 and 2 others
You must log in or register to reply here.

Similar threads

silversurfer
    • +Reputation
    • Like
BlackCat Ransomware Deploys New Signed Kernel Driver
Replies
0
Views
1,173
News Archive
silversurfer
silversurfer
Gandalf_The_Grey
    • Like
    • Wow
    • +Reputation
Emsisoft says hackers are spoofing its certs to breach networks
Replies
2
Views
1,019
News Archive
ForgottenSeer 98186
F
Gandalf_The_Grey
    • Wow
    • +Reputation
    • Like
Samsung, LG, Mediatek certificates compromised to sign Android malware
Replies
0
Views
641
News Archive
Gandalf_The_Grey
Gandalf_The_Grey

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top