LASER_oneXM

Level 33
Verified
Digitally signed threats with a valid certificate are no longer the mark of a nation-state, sophisticated attacker. The number of malware samples signed with a valid certificate found on VirusTotal is in the thousands.

Threats signed with a valid digital certificate are no longer the mark of a nation-state, sophisticated attacker and financial-driven cybercriminals are able to purchase code-signing certs either directly or indirectly from certificate authorities (CA) or their resellers.

Crims abuse certs from at least 13 CAs
A study from Chronicle security company reveals that 3,815 signed malware samples were uploaded to VirusTotal scanning service over a period of one year.

The investigation is by no means exhaustive as it focused only on Windows portable executable (PE) and excluded samples that had less than 15 detections on the platform. Furthermore, it filtered out files that were borderline malicious.

The list of CAs with abused certificates includes Sectigo, Thawte, VeriSign, Symantec, DigiCert, GlobalSign, WoSign, Go Daddy, WoTrus, GDCA, Certum, E-Tugra, and Entrust.
The results show that Sectigo, formerly Comodo, had issued the highest number of digital certificates, with close to 2,000 certs abused by malware authors to sign their code.
... ...
 

upnorth

Level 30
Content Creator
Trusted
Verified
Sectigo, formerly Comodo, had issued the highest number of digital certificates, with close to 2,000 certs abused by malware authors to sign their code. This should not come as a surprise as Sectigo is the largest commercial Certificate Authority (CA) and has plenty of resellers that could be tricked into issuing a certificate to the wrong party. Recently, the company announced a sponsorship for Let's Encrypt CA that offers free certificates for the public benefit. Code signing emerged as a method to guarantee the authenticity and integrity of the code running on a Windows machine. This allowed discerning between legitimate software and a potentially malicious one. All this relies on trust in the authority that issued the certificate. "The chain of trust is relatively straight-forward: certificates are signed (issued) by trusted certificate authorities (CAs) , which have the backing of a trusted parent CA. This inherited trust model is taken advantage of by malware authors who purchase certificates directly or via resellers,"
better results are possible when buyers are verified more diligently.