Digitally signed threats with a valid certificate are no longer the mark of a nation-state, sophisticated attacker. The number of malware samples signed with a valid certificate found on VirusTotal is in the thousands.
Threats signed with a valid digital certificate are no longer the mark of a nation-state, sophisticated attacker and financial-driven cybercriminals are able to purchase code-signing certs either directly or indirectly from certificate authorities (CA) or their resellers.
Crims abuse certs from at least 13 CAs
A study from Chronicle security company reveals that 3,815 signed malware samples were uploaded to VirusTotal scanning service over a period of one year.
The investigation is by no means exhaustive as it focused only on Windows portable executable (PE) and excluded samples that had less than 15 detections on the platform. Furthermore, it filtered out files that were borderline malicious.
The list of CAs with abused certificates includes Sectigo, Thawte, VeriSign, Symantec, DigiCert, GlobalSign, WoSign, Go Daddy, WoTrus, GDCA, Certum, E-Tugra, and Entrust.
The results show that Sectigo, formerly Comodo, had issued the highest number of digital certificates, with close to 2,000 certs abused by malware authors to sign their code.