Signed, sealed, delivered: Hackers gilding malware with code-signing certificates

Counterfeit certificates are making it easier for malicious payloads to bypass security applications

Business is growing for vendors of counterfeit code-signing certificates, as hackers continue to look for new ways to maximize the effectiveness of their malware campaigns, new research suggests.

According to a recent report from Recorded Future’s Insikt Group, illicit code-signing certificates are now available in the criminal underground for as little as $299.

“All certificates are issued by reputable companies, such as Comodo, Thawte, and Symantec, and have proved to be extremely effective in malware obfuscation,” said Insikt researcher, Andrei Barysevich.

“The most affordable version of a code-signing certificate costs $299, but the most comprehensive Extended Validation (EV) certificate with a SmartScreen reputation rating is listed for $1,599.”

Insikt’s investigation comes amid reports of a “sudden increase in code-signing certificates being used as a layered obfuscation technique” for malicious payload distribution campaigns.

However, contrary to a common belief that the security certificates circulating in the criminal underground are stolen from legitimate owners, Insikt said it could confirm with a “high degree of certainty” that the certificates are in fact being custom-created for each buyer using stolen corporate identities.

During its investigation, Insikt identified numerous vendors currently offering both code-signing certificates and domain name registration with accompanying SSL certificates, both of which make traditional security applications less effective.

“Network security appliances performing deep packet inspection become less effective when legitimate SSL/TLS traffic is initiated by a malicious implant,” Barysevich said.

“Netflow analysis is an important control toward reducing risk, as host-based controls may also be rendered ineffective by legitimate code-signing certificates.”

Although hackers are increasingly utilizing counterfeit code-signing certificates, Barysevich said it was unlikely this method will become a “mainstream staple” of cybercrime due to its prohibitive cost.

However, the researcher noted that the high price point would do little to deter sophisticated and nation-state actors, who are typically engaged in “less widespread and more targeted attacks”.