Skip to main content
banner image
venafi logo

The Astounding Persistence of Abusive Certificates in Malware

The Astounding Persistence of Abusive Certificates in Malware

encrypted malware
July 16, 2019 | Guest Blogger: Haydn Johnson

 

Security loopholes aren't a hacker's only gateway to infecting a system. Sometimes legitimate certificates spread malware, remaining a threat for years. This type of threat is not going away anytime soon.

 

So, what is a certificate? Why are they important? Who is abusing them and for what reason? Read on to find out:

 

What are certificates and what are they used for?

Certificates are used to cryptographically sign executable code, documents and even websites. They prove that the person, code, website or organization can be trusted to be secure.

 

In short, they give your everyday, non-technical user some assurance that the website or application they are using is legitimate.

 



 

Why are certificates important?

Applications that use a certificate are seen as more trustworthy by users. Trusted applications will not be stopped by antivirus or anti-malware technologies. Trusted websites are more likely to be used for sensitive actions, such as online banking.

 

Certificates are considered secure because they use Public Key Infrastructure (PKI). PKI is an asymmetric system, using two keys to encrypt communications; public and private keys. A Public key is used to encrypt data, whether that be on the user’s browser, data, or part of a message to be sent. Private Keys are then used to decrypt the data that was encrypted by the Public Key, once it arrives at the website or server This system is considered secure because only the Private key can decrypt the Public Key data.

 

SSL Certificates as an example

An SSL (Secure Socket Layer) certificate contains the Public Key of a website, which allows the user’s information to be encrypted and sent to the website, making a session with the website secure. The website then decrypts the secure session data using the private key.

 

If an organization wants a secure website that uses encryption, then a certificate needs to be obtained.

 

Obtaining this gives the website the green lock that most non-technical users are familiar with.

 

abusive-certificate.png

 

In general, SSL Certificates are used to prevent malicious websites from pretending to be legitimate websites. Attackers can create fake websites to steal credentials and or deliver malware.

 

Digital Certificates are primarily used to ensure that software is legitimate and not malware, helping non-technical users to easily identify malicious internet properties.

 

Certificate Authorities (CA) & Software Companies

Sticking with the SSL Certificate example, Certificate Authorities are entities that issue SSL certificates and act as a trusted (approved) third party. CAs are trusted because they require payment and proof of identity to tie the code, document, or application to the legitimate organization. They verify that the Certificate actually belongs to the person, organization, or entity that is noted in the certificate.

 

Software companies do the same for their own software; they sign and certify their code to prove that it belongs to them. The aim is to prevent malicious attackers from masquerading malware as legitimate software.

 

CA’s & Software Companies on Attackers Hit Lists

Getting malware signed by a legitimate company, or getting a website signed by a trusted CA, is a top priority for malicious attackers. If they can create their own ‘legitimate’ certificates that others trust, they can run malicious code or malicious websites which are seen as ‘trusted’. This allows malicious attackers to run code that would not be possible without the certificate.

 

It is much easier for an attacker to steal a certificate than attempt to bypass anti-virus, application whitelisting, intrusion prevention and all the other tools defenders have. With a certificate, the malware is allowed to run in a trusted state. Bypassing these technologies can save a cyber criminal organization considerable development time and money.

 

All the benefits above mean attackers are well-practiced at targeting certificate authorities and software companies. An example of this is the NotPetya Ransomware Worm, where attackers used fraudulent Microsoft certificates in an attempt to bypass antivirus scanners.

 

Cyber Criminals Dedicated to Stealing Trusted Certificates

The benefit of having legitimate certificates for their malware is so great that there are criminal organizations dedicated solely to stealing certificates and selling them to other cyber criminals. These criminal organizations have now even created malware designed just to steal digital certificates.

 

Many breaches are found to have used legitimate certificates that have been stolen. The Nationstate malware in 2016 that infiltrated security firm Kaspersky is a good example of this. The stolen certificates were from Foxconn.

 

Other tricks That Help Attackers

Antivirus software can require high processing power, due to the in-depth nature of scanning. In order to save processing power, anti-virus software can decide not to scan digitally certified software, thus de prioritizing them. Attackers are very aware of this and will sign their own malware similar to known trusted software companies in order to avoid examination by anti-virus software.

 

Attacks Not Stopping Any Time Soon

Digital certificates are extremely valuable to attackers, allowing them to bypass ever expanding defensive technology. Unsurprisingly, these attacks are expected to remain extremely popular for the foreseeable future.

 

Learn more about machine identity protection. Explore now.

 

Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

CIO Study: Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

Machine Identity Protection for Dummies
eBook

Machine Identity Protection for Dummies

About the author

Guest Blogger: Haydn Johnson
Guest Blogger: Haydn Johnson
Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat