Signed Malware

ronjor · Feb 4, 2018

Stuxnet famously used legitimate digital certificates to sign its malware. A research paper from last year found that the practice is much more common than previously thought. What's more, it predated Stuxnet, with the first known instance occurring in 2003.
Click to expand...

https://www.schneier.com/blog/archives/2018/02/signed_malware.html

itman · Feb 4, 2018

Nothing new here as evidenced by Casey Smith's demonstration of using MimiKatz to sign with MS code signed certs..
https://twitter.com/subtee/status/912769644473098240?lang=en

guest · May 22, 2019

Volume of Signed Malware Increases, CAs Need Better Vetting
May 22, 2019
https://www.bleepingcomputer.com/ne...ed-malware-increases-cas-need-better-vetting/

Digitally signed threats with a valid certificate are no longer the mark of a nation-state, sophisticated attacker. The number of malware samples signed with a valid certificate found on VirusTotal is in the thousands.
Crims abuse certs from at least 13 CAs
A study from Chronicle security company reveals that 3,815 signed malware samples were uploaded to VirusTotal scanning service over a period of one year.

The list of CAs with abused certificates includes Sectigo, Thawte, VeriSign, Symantec, DigiCert, GlobalSign, WoSign, Go Daddy, WoTrus, GDCA, Certum, E-Tugra, and Entrust.
The results show that Sectigo, formerly Comodo, had issued the highest number of digital certificates, with close to 2,000 certs abused by malware authors to sign their code.
This should not come as a surprise as Sectigo is the largest commercial Certificate Authority (CA) and has plenty of resellers that could be tricked into issuing a certificate to the wrong party.

The six CAs that signed certificates of 100 or more malware samples make for about 78% of the signed malicious code uploaded to VirusTotal.
Click to expand...

Chronicle: Abusing Code Signing for Profit

guest · May 22, 2019

Comodo is known to be "lazy" when checking the legitimacy of the certs buyers,after all, money is money...they even Whitelist malware in their cloud network

ronjor · May 22, 2019

Alphabet's Chronicle Explores Code-Signing Abuse in the Wild

Kelly Sheridan 5/22/2019
A new analysis highlights the prevalence of malware signed by certificate authorities and the problems with trust-based security.
Click to expand...

guest · May 25, 2019

Sectigo Responds to Chronicle's Report About Malware Signed by Their Certs
May 25, 2019
https://www.bleepingcomputer.com/ne...s-report-about-malware-signed-by-their-certs/

Following Chronicle’s study on signed malware registered on VirusTotal scanning service over a one-year period, Sectigo carried their own investigation to identify abused certificates and revoke them.
Lots of duplicates identified
In a post on Friday, Sectigo reveals that most of the certificates Chronicle found to be issued by the company and abused to sign malware were expired, were already revoked or duplicates at the time Sectigo looked into the matter; collectively, they make for 90% of the certs attributed to Comodo/Sectigo.

Duplicate certificates are those that match other certs had been logged under a different category. “This duplication may owe itself to multiple uses of the same certificate or multiple reports of the same malware application,” explains Sectigo.
The largest part of the certs Chronicle saw issued by Comodo/Sectigo were duplicates. They accounted for 1660 of the results.
A breakdown of Sectigo’s findings is as follows: [...]
Click to expand...

guest · Jun 12, 2019

Code Signing Shortcomings Leave Gaps for Hackers
June 12, 2019
https://www.infosecurity-magazine.com/news/code-signing-shortcomings-leave-1/

Only a little over a quarter (28%) of global organizations have a clearly defined security process in place for code signing, potentially opening the door for hackers to steal and use these certificates in attacks, according to new Venafi research.
What’s more, over a third (35%) admitted that they don’t have a clear owner for the private keys used in code signing.

The vendor’s vice-president of security strategy and threat intelligence, Kevin Bocek, argued that code signing certificates enabled both the notorious Stuxnet and ShadowHammer attacks to succeed.

“Security teams and developers look at code signing security in radically different ways. Developers are primarily concerned about being slowed down because of their security teams’ methods and requirements. This disconnect often creates a chaotic situation that allows attackers to steal keys and certificates,” he added.
Click to expand...

Log in or Sign up

Signed Malware

ronjor Global Moderator

itman Registered Member

guest Guest

guest Guest

ronjor Global Moderator

guest Guest

guest Guest

Log in or Sign up

Signed Malware

ronjor Global Moderator

itman Registered Member

guest Guest

guest Guest

ronjor Global Moderator

guest Guest

guest Guest

Useful Searches