Code signing Certificates created on demand for Cybercriminals

Many organizations have as of late begun adopting certain strategies of using code-signing certificates to authenticate their software and protect it against tampering. Indeed, even Malware authors have for quite some time been utilizing such certificates for their malicious payloads so as to sneak past enterprise anti-malware tools.

A New research done by the Recorded Future shows that a growing number of code-signing certificates in the cyber underground are actually being created on demand for specific buyers by Dark Web vendors utilizing stolen corporate identities. Each certificate is unique to the buyer and is usually delivered within two- to four days.

The certificates are notwithstanding being issued by reputable companies for example Symantec, Comodo, and Thawte, and are accessible at costs ranging from $299 to $1,599.

This usage of code-signing certificates to distribute malware is not new but recently more malware authors have started depending on the strategy as a way to distribute malware.

"We do not have information on what percentage of all certificates circulating in the Dark Web were obtained using compromised corporate credentials," says Andrei Barysevich, director of advance collection at Recorded Future. "However, considering the malicious intent of hackers when utilizing such certificates, it is safe to assume that a high proportion of them were obtained fraudulently."

The certificates issued give users an approach to confirm the identity of the publisher and the integrity of the code. The Malware however is difficult to spot since it has been digitally signed with a valid code-signing certificate as it also happens that a majority of the anti-malware tools and browsers remain under the impression that the payload can be trusted because it is from a trusted publisher.

A recent incident that sparked wide spread interest was reported last October, by a security vendor Venafi that followed a six-month investigation conducted to show a thriving market for code signing certificates on the Dark Web.

 The research, conducted by the Cyber Security Research Institute, showed that such certificates are more expensive than even the stolen US passports, credit cards, and handguns. Venafi found that stolen code-signing certificates are being utilized as a part of a wide range of malicious activity including man-in-the-middle attacks, malware obfuscation, website spoofing, and data exfiltration and can get up to $1,200 in underground markets.

Recorded Future researchers say that their investigation shows that the cybercriminals are currently offering new code-signing certificates and domain-name registration services with SSL certificates.
They first observed a Dark Web vendor selling such certificates in 2015. From that point onward, they have seen no less than three new actors selling code-signing certificates obtained from major CAs using stolen corporate credentials. One of the vendors has even proceeded on to other activities while the remaining two are as of now continuing to sell counterfeit certificates primarily to Russian threat actors.

The cost associated with these certificates implies to the fact that they are likely to be of most interest to hackers with specific motives in mind, Barysevich says.

"Attackers who are engaged in targeted campaigns, such as corporate espionage or bank infiltration, are the most likely buyers of counterfeit code-signing certificates," he added further.
"That being said, there are many applications of compromised SSL EV {Extended Validation Assurance} certificates, and they could be used in a more widespread malware campaign."

The essential certificates without EV assurance are in any case available for $600 from the vendors, or twice the amount of $295 that an organization would normally pay for a code-signing certificate for legitimate use.
Category: / /

Share this with Your friends: