Researchers at Recorded Future’s Insikt Group have identified four vendors selling code signing certificates and domain name registration with accompanying SSL certificates to hackers in the criminal underground. Cyber attackers are using the code-signed apps, which are easier to slide by network security appliances, to make payload distributing malware appear legitimate.
Code-signing certificates are meant to assure users of an app’s authenticity. Clues that cyber attackers are selling legitimate paper to cloak malware distribution campaigns first appeared seven years ago but it wasn't until 2015 that the practice achieved some prominence among cyber criminals, wrote Andrei Barysevich, Recorded Future’s director of advanced collection, in a blog post. It is only recently that security researchers have begun to investigate more closely, he said.
The legitimacy of the code-signing certificates runs counter to the assumption that cyber gangsters steal security certificates from organizations. Instead, Insikt said with some certainty, the certificates are created for and requested by a specific buyer and are registered using stolen corporate identities. Insikt said that legitimate business owners are likely unaware that their data is used in the illicit activities.
“Contrary to a common belief that the security certificates circulating in the criminal underground are stolen from legitimate owners prior to being used in nefarious campaigns, we confirmed with a high degree of certainty that the certificates are created for a specific buyer per request only and are registered using stolen corporate identities, making traditional network security appliances less effective,” Barysevich wrote.
Here are more details from Insikt’s research:
- Insikt has identified four well-known vendors of such products since 2011. Two are currently soliciting their services to Russian-speaking hackers.
- One hurdle is the certs are expensive. The most affordable version of a code signing certificate costs $299, but the most comprehensive Extended Validation (EV) certificate with a SmartScreen reputation rating is listed for $1,599. The starting price of a domain name registration with EV SSL certificate is $349.
- All certificates are issued by reputable companies, such as Comodo, Thawte, and Symantec, and have shown to be effective in malware obfuscation.
- Network security appliances performing deep packet inspection are less effective when legitimate certificate SSL/TLS traffic is initiated by a malicious implant.
"Hacked code-signing certificates certainly present an extended challenge to IT security teams, and are a potentially effective tactic to bypass traditional security appliances,” Manoj Asnani, Balbix product and design VP, told MSSP Alert in an email. “The challenge many organizations face is connecting the dots between the intelligence captured, in the dark web for example, and prioritizing the potential threats to their specific ecosystem based on business criticality.”
C@T, one seller that Insikt tracked whose activity dates to 2015, apparently claimed that the success rate of payload installations from signed files increases up to 50 percent. According to Insikt, C@T in 2015 began selling Microsoft and Apple certificates. In 2017, three new actors began selling certificates in the Eastern European underground. Two still actively supply counterfeit certificates to Russian-speaking actors, Insikt said.
Still, Insikt said the prohibitive cost of bogus certs will likely prevent the scam from becoming a "mainstream staple" of cyber crime. Nevertheless, it's likely to remain an alluring tactic for certain operations. The researchers said they expect "more sophisticated actors and nation-state actors who are engaged in less widespread and more targeted attacks will continue using fake code signing and SSL certificates."
