Thursday, May 1, 2025
HomeCryptocurrency hackHackers Illegally Purchasing Abused Code-signing & SSL Certificates From Underground Market

Hackers Illegally Purchasing Abused Code-signing & SSL Certificates From Underground Market

Published on

SIEM as a Service

Follow Us on Google News

Threat actors using Abused Code-signing certificate from reputable companies as a layer of obfuscation in distributing malicious payloads.

Abused Codesigning certificates would provide integrity for an application and there are different classes of Codesigning certificates standard and Extended Validation.

Cybercriminals obtaining the certificate as like a specific buyer by submitting the stolen corporate identities of legitimate owner.

- Advertisement - Google News

Recorded Future’s Insikt Group investigated the criminal underground and identified vendors currently offering both code signing certificates and domain name registration with accompanying SSL certificates.

Now Antivirus detection capabilities improved and some AV companies implemented behavior analysis too. So cybercriminals started thinking about the second level of protection by signing the payload with legitimate codesigning certificates.

In March 2015 an advertisement from C@T(Underground market vendor) explained that the certificates are registered under legitimate corporations and issued by Comodo, Thawte, and Symantec — the largest and most respected issuers.

Researchers said, “According to C@T ads, the success rate of payload installations from signed files increases by 30 to 50 percent, and he even admitted to selling over 60 Abused Code-signing certificates in less than six months”.

Now after two years, researchers spotted three new vendors, the first not offering codesigning certificates anymore, the second vendor offering only the Standard Codesigning certificates.

Whereas the third vendor offering a range of products starting from standard codesigning to EV codesigning certificates and also in packages along with SSL Certificates.

Insikt Group effectively persuaded a seller to lead a trial, signing a provided payload executable of a formerly unreported Remote Access Trojan (RAT) with an as of late issued Comodo certificate.

Despite that test-subject files were encrypted beforehand, the results of the test demonstrated the superior effectiveness of code signed versions

While just eight antivirus suppliers effectively recognized the encrypted version of the payload, just two of them were compelling against the code signed version.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Trellix Launches Phishing Simulator to Help Organizations Detect and Prevent Attacks

Trellix, a leader in cybersecurity solutions, has unveiled its latest innovation, the Trellix Phishing...

AiTM Phishing Kits Bypass MFA by Hijacking Credentials and Session Tokens

Darktrace's Security Operations Center (SOC) in late 2024 and early 2025, cybercriminals have been...

Nitrogen Ransomware Uses Cobalt Strike and Log Wiping in Targeted Attacks on Organizations

Threat actors have leveraged the Nitrogen ransomware campaign to target organizations through deceptive malvertising...

Researchers Reveal Threat Actor TTP Patterns and DNS Abuse in Investment Scams

Cybersecurity researchers have uncovered the intricate tactics, techniques, and procedures (TTPs) employed by threat...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Crypto Platform OKX Suspends Tool Abused by North Korean Hackers

Cryptocurrency platform OKX has announced the temporary suspension of its Decentralized Exchange (DEX) aggregator...

Authorities Seize $31 Million Linked to Crypto Exchange Hack

U.S. authorities announced the seizure of $31 million tied to the 2021 Uranium Finance...

Stablecoin Bank Hit by Cyberattack, Loses $49.5M to Hackers

The cryptocurrency sector faced one of its most significant security breaches this year as...