Volume of Signed Malware Increases, CAs Need Better Vetting

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Feb 4, 2016
2,520
Digitally signed threats with a valid certificate are no longer the mark of a nation-state, sophisticated attacker. The number of malware samples signed with a valid certificate found on VirusTotal is in the thousands.

Threats signed with a valid digital certificate are no longer the mark of a nation-state, sophisticated attacker and financial-driven cybercriminals are able to purchase code-signing certs either directly or indirectly from certificate authorities (CA) or their resellers.

Crims abuse certs from at least 13 CAs
A study from Chronicle security company reveals that 3,815 signed malware samples were uploaded to VirusTotal scanning service over a period of one year.

The investigation is by no means exhaustive as it focused only on Windows portable executable (PE) and excluded samples that had less than 15 detections on the platform. Furthermore, it filtered out files that were borderline malicious.

The list of CAs with abused certificates includes Sectigo, Thawte, VeriSign, Symantec, DigiCert, GlobalSign, WoSign, Go Daddy, WoTrus, GDCA, Certum, E-Tugra, and Entrust.
The results show that Sectigo, formerly Comodo, had issued the highest number of digital certificates, with close to 2,000 certs abused by malware authors to sign their code.
... ...
 

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,457
Sectigo, formerly Comodo, had issued the highest number of digital certificates, with close to 2,000 certs abused by malware authors to sign their code. This should not come as a surprise as Sectigo is the largest commercial Certificate Authority (CA) and has plenty of resellers that could be tricked into issuing a certificate to the wrong party. Recently, the company announced a sponsorship for Let's Encrypt CA that offers free certificates for the public benefit. Code signing emerged as a method to guarantee the authenticity and integrity of the code running on a Windows machine. This allowed discerning between legitimate software and a potentially malicious one. All this relies on trust in the authority that issued the certificate. "The chain of trust is relatively straight-forward: certificates are signed (issued) by trusted certificate authorities (CAs) , which have the backing of a trusted parent CA. This inherited trust model is taken advantage of by malware authors who purchase certificates directly or via resellers,"
better results are possible when buyers are verified more diligently.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top