Hackers are now using code-signing certificates to make their malware look legitimate and make it easier to bypass security protections. After Stuxnet, which was one of the first major worms to have tricked its targets through legitimate certificates, researchers continued to suggest that this strategy employed by the government was being used by the criminal community, as well.
Now, security researchers at the threat intelligence provider Recorded Future have revealed that there has been a sudden increase in the use of fraudulent cryptographic certificates. These certificates come from legitimate companies, vouching for the safety of the malware. But how do these hackers buy the certificates? The research reveals underground services that are selling unique counterfeit certificates to their buyers.
Before this, it was believed that criminals were stealing signing credentials and repurposing them to make their malicious programs look legitimate. "Contrary to a common belief that the security certificates circulating in the criminal underground are stolen from legitimate owners prior to being used in nefarious campaigns, we confirmed with a high degree of certainty that the certificates are created for a specific buyer per request only and are registered using stolen corporate identities, making traditional network security appliances less effective," Andrei Barysevich of Recorded Future said.
Counterfeit certificates go for as much as $1,599 a piece
These certificates are not only important for criminals to trick users into believing their legitimacy, but sometimes act as an important signal to get through the Windows or macOS protections. Using these certificates, hackers also get rid of the warnings that your operating system shows when an unsigned program is being installed.
"It is important to note that all certificates are created for each buyer individually with the average delivery time of two to four days."
During their research, researchers identified 4 counterfeit signing credential sellers and managed to get an unreported RAT (remote access trojan) signed by one of them. The certificate was issued by Comodo - a legit company - recently.
The problem? After getting it signed by Comodo-issued certificate, only two of the top AV engines could detect the trojan.
One of these sellers was advertising using Microsoft's Authenticode technology for signing files. Known as C@T, they were also offering certificates for macOS apps for over $1,000 per certificate. "In his advertisement, C@T explained that the certificates are registered under legitimate corporations and issued by Comodo, Thawte, and Symantec - the largest and most respected issuers," the report adds.
"The seller indicated that each certificate is unique and will only be assigned to a single buyer, which could be easily verified via HerdProtect.com. According to C@T, the success rate of payload installations from signed files increases by 30 to 50 percent, and he even admitted to selling over 60 certificates in less than six months."
This means that while these are no longer stolen, Barysevich said all of these certificates are "registered using the information of real corporations," but they remain unaware that their data is being used in the illicit activities.
While the use of legitimate signing certificates to verify malicious apps can make it difficult for users to spot malware and evidently enable them to bypass AV protections too, researchers said the validity of these certificates would be invalidated fairly quickly. However, they added that "more sophisticated actors and nation-state actors who are engaged in less widespread and more targeted attacks will continue using fake code signing and SSL certificates in their operations."