Skip to main content
banner image
venafi logo

Dark Web e-Shops Now Distributing Code Signing Certificates for Malware

Dark Web e-Shops Now Distributing Code Signing Certificates for Malware

code signed malware
July 11, 2018 | Scott Carter

Code signing certificates are valuable assets for malware creators. When malware code is signed by a seemingly valid certificate, it appears to be legitimate and can thereby evade many malware detection techniques. In the days since Stuxnet, malware writers have used compromised code signing certificates that had been spirited away from a legitimate source. Now, according to security researchers at Masaryk University in the Czech Republic, and Maryland Cybersecurity Center (MCC) in the US, it appears that e-shops have been set up to sell Microsoft Authenticode certificates to anonymous buyers.

In a report entitled, Issued for Abuse: Measuring the Underground Trade in Code Signing Certificates, MCC evaluated the certificates from recent code signed malware and traced them to nefarious sources. The group then analyzed the black markets trading code signing certificates. They discovered “4 black market vendors with one of them setting up an e-shop specialized on code signing certificates and selling more than 10 certificates per month with the total of $16,150 in revenue during our observation period.”

To validate claims that the signed malware was issued in the black market and not compromised from legitimate sources, MCC researchers found that “around 45% of all abused certificates are used to sign malware within a month after they are issued.” Additional analysis of the relationships between the certificates, publishers and malware families indicated that “individual developer teams appear to be in control of their own certificates.”

As John Leyden points out in an article in The Register, “Signed malware has a greater chance of making it past antivirus scanners and other detection mechanisms, hence why hackers strive to give their malicious code the veneer of respectability with a valid digital signature.”

The presence of grey market CAs capable of issuing Authenticode certificates represents a striking new development in the evolution of signed malware. Kevin Bocek, vice president of security strategy and threat intelligence at Venafi, warns of a growing exposure to such methods of attack. “This underground economy is growing because many organizations are rapidly expanding their use of code signing certificates. They are foundational components in many applications and DevOps environments. Unfortunately, in many cases, code signing certificates are secured by unsuspecting teams that are focused on delivering code quickly, which allows attackers to intercept them.”

According to MCC researchers, the increasing demand for Authenticode certificates is driven by the need to bypass platform protections such as Microsoft Defender SmartScreen. “Unlike the better studied Web PKI, the Authenticode PKI is opaque, as compromised certificates cannot be discovered systematically through network scanning and there is no official list of legitimate software publishers. This facilitates abuse, allowing miscreants to obtain code signing certificates and to produce valid digital signatures for malicious code.”

With new black market CAs issuing certificates for malware, it’s more important than ever that organizations maintain continuous intelligence about their entire environment of machine identities, including code signed certificates. To limit exposure, Kevin Bocek recommends that “Organizations must have full control over every code signing certificate they use, especially during the software development pipeline and signing process.”

That being said, what are the actions that we need to take immediately to minimize the risk of this new wave of attacks? MCC team suggests two practical ways to make this abuse more difficult “searching for certificates issued to similarly named publishers and revoking them as appropriate, and standardizing the format for publisher names.”

How familiar are you with the machine identities that are being used in your organization?

Related posts

Like this blog? We think you will love this.
Featured Blog

What Is IP Spoofing?

What is IP Spoofing?

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Scott Carter
Scott Carter

Scott is Senior Manager for Content Marketing at Venafi. With over 20 years in cybersecurity marketing, his expertise leads him to help large organizations understand the risk to machine identities and why they should protect them

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more