Code signing certificates are valuable assets for malware creators. When malware code is signed by a seemingly valid certificate, it appears to be legitimate and can thereby evade many malware detection techniques. In the days since Stuxnet, malware writers have used compromised code signing certificates that had been spirited away from a legitimate source. Now, according to security researchers at Masaryk University in the Czech Republic, and Maryland Cybersecurity Center (MCC) in the US, it appears that e-shops have been set up to sell Microsoft Authenticode certificates to anonymous buyers.
In a report entitled, Issued for Abuse: Measuring the Underground Trade in Code Signing Certificates, MCC evaluated the certificates from recent code signed malware and traced them to nefarious sources. The group then analyzed the black markets trading code signing certificates. They discovered “4 black market vendors with one of them setting up an e-shop specialized on code signing certificates and selling more than 10 certificates per month with the total of $16,150 in revenue during our observation period.”
To validate claims that the signed malware was issued in the black market and not compromised from legitimate sources, MCC researchers found that “around 45% of all abused certificates are used to sign malware within a month after they are issued.” Additional analysis of the relationships between the certificates, publishers and malware families indicated that “individual developer teams appear to be in control of their own certificates.”
As John Leyden points out in an article in The Register, “Signed malware has a greater chance of making it past antivirus scanners and other detection mechanisms, hence why hackers strive to give their malicious code the veneer of respectability with a valid digital signature.”
The presence of grey market CAs capable of issuing Authenticode certificates represents a striking new development in the evolution of signed malware. Kevin Bocek, vice president of security strategy and threat intelligence at Venafi, warns of a growing exposure to such methods of attack. “This underground economy is growing because many organizations are rapidly expanding their use of code signing certificates. They are foundational components in many applications and DevOps environments. Unfortunately, in many cases, code signing certificates are secured by unsuspecting teams that are focused on delivering code quickly, which allows attackers to intercept them.”
According to MCC researchers, the increasing demand for Authenticode certificates is driven by the need to bypass platform protections such as Microsoft Defender SmartScreen. “Unlike the better studied Web PKI, the Authenticode PKI is opaque, as compromised certificates cannot be discovered systematically through network scanning and there is no official list of legitimate software publishers. This facilitates abuse, allowing miscreants to obtain code signing certificates and to produce valid digital signatures for malicious code.”
With new black market CAs issuing certificates for malware, it’s more important than ever that organizations maintain continuous intelligence about their entire environment of machine identities, including code signed certificates. To limit exposure, Kevin Bocek recommends that “Organizations must have full control over every code signing certificate they use, especially during the software development pipeline and signing process.”
That being said, what are the actions that we need to take immediately to minimize the risk of this new wave of attacks? MCC team suggests two practical ways to make this abuse more difficult “searching for certificates issued to similarly named publishers and revoking them as appropriate, and standardizing the format for publisher names.”
How familiar are you with the machine identities that are being used in your organization?