On the black market they sell valid executable code signing certificates to bypass antiviruses

Code signing certificates have been used by malicious attackers for several years. Back in 2010, researchers drew attention to malware samples with certificates copied from "clean" files. Naturally, such a code signature did not pass Authenticode verification (see the F-Secure presentation at the CARO 2010 conference ).



Another “swallow” in 2011 was the “government” malware Stuxnet. He used four 0day vulnerabilities in Windows to spread and gain administrator rights, and was signed with real certificates stolen from Realtek and JMicron . The malware was installed on the system as a Microsoft driver.



Then other examples appeared, and since about 2015, a full-fledged black market of valid certificates from reputable certification authorities (CA) has been launched. Such certificates are sold on clandestine forums like the Russian Antichat.

It is widely believed that security certificates in the black market are stolen from real owners. This is not true. They are really issued by real CAs.

Security professionals from the Recorded Future Insikt Group explored the underground certificate market - and published a report (pdf) with the results of the study. In their opinion, with a high degree of confidence it can be argued that now certificates for the black market are created specifically for a specific customer on order . They are registered with real companies. In all likelihood, these companies do not suspect that such registrations occur on their behalf. Although in some cases one can assume the fact of criminal conspiracy (for example, bribery of employees).

These are quite valid, legal certificates for real companies issued by serious CAs. Such tactics have proven extremely effective for spreading malware, the report authors write.

One of the first "black" certificates began to sell the hacker group C @ T. In March 2015, at the famous Russian forum Antichat, she offered Microsoft Authenticode certificates for signing 32-bit and 64-bit executable files. They also allow you to sign code for Microsoft Office, Microsoft VBA, Netscape Object Signing and Marimba Channel Signing, Silverlight 4 applications.
Signed PE executable file format
In the ad, the hacker group indicated that the certificates were issued by Comodo, Thawte, and Symantec to real corporations. Each certificate is unique and it was promised to be sold to only one customer. In addition, Apple code signing certificates were offered.



“In the Apple world, you cannot run a program with unsigned code, although there are many ways to get around this test,” said Amit Serper, senior security expert at Cybereason, a malware expert for Mac. - To sign the program, you need to set up a developer account, pay Apple $ 99 and explain why a certificate is needed. Since Apple's goal is to make money and attract more members to its developer platform, getting a certificate is incredibly simple. Many malware and adware for Macs are signed by legal certificates provided by Apple. ”

According to C @ T, signing a code with such a certificate increases the percentage of successful malvari installations by 30-50%. Hackers also said that over the past six months they have already sold more than 60 certificates. This is a good result, given the high cost: three years ago, “black” certificates cost more than $ 1000.

In 2016, two more certificate sellers appeared on the forums, and in May 2017 a third joined them. All three are still active. The first one works for Russian-speaking clients (advertised on local forums), the second specializes in PKI Class 3 certificates for $ 600, but the third one offers the widest range.



The cheapest - standard code signing certificates issued by Comodo, without a SmartScreen reputation rating, sell for $ 295. The most expensive are EV certificates from Symantec with a SmartScreen rating of $ 1,599.

Separately sold EV SSL certificates: from $ 349 per domain. If you buy together a certificate for signing a code and EV SSL, it will cost $ 1799.

How effective are these certificates?


Insikt Group experts convinced one of the sellers of black certificates on the forum to conduct a test. They received the source with a new RAT trojan, which is not in the anti-virus databases. The files were pre-encrypted and then signed with a fresh certificate from Comodo.

So, among all the anti-virus engines of the VirusTotal scanner, eight recognized an encrypted malware without a signature, and only two with a Comodo signature.





Even more disturbing results were obtained when checking the non-resident version of the trojan. In this case, six antiviruses recognized the threat in a file without a signature, and only one in a file with a signature.





Experts warn that the use of valid certificates and encryption of SSL / TLS traffic in the future may hamper antivirus protection by the method of deep packet inspection. On the other hand, black certificates are still quite expensive, so not every hacker can afford to buy new certificates after revoking old ones. Most likely, such certificates - both for signing the code and for SSL - will be used mainly for industrial espionage and cyber operations of special services from different countries, as is the case with Stuxnet.

Information on standard and advanced certificates for signing a code from the GlobalSign Certification Authority, compatible with most platforms, can be found on the company's official website .



We announce the action “More cyber defense for sports”!
image

GlobalSign joins the celebration of the most ambitious event of all athletes and football fans - WORLD FOOTBALL CHAMPIONSHIP 2018 and GIVES 1 YEAR OF SSL PROTECTION! *

Promotion conditions:
* When you purchase any one - year SSL certificate of DV, OV or EV level, you receive a second year as a gift .
• The promotion applies to all sports-related websites.
• The promotion is valid only for new orders and does not apply to partners.
• To take advantage of the offer, send a request on the site with the promo code: SL003HBFR .

The promotion will last until July 15, 2018.
You can obtain additional information on the promotion from GlobalSign Russia managers by phone: +7 (499) 678 2210.
MORE PROTECTION with GlobalSign!