Saturday, November 2, 2024
HomeCryptocurrency hackHackers Illegally Purchasing Abused Code-signing & SSL Certificates From Underground Market

Hackers Illegally Purchasing Abused Code-signing & SSL Certificates From Underground Market

Published on

Malware protection

Threat actors using Abused Code-signing certificate from reputable companies as a layer of obfuscation in distributing malicious payloads.

Abused Codesigning certificates would provide integrity for an application and there are different classes of Codesigning certificates standard and Extended Validation.

Cybercriminals obtaining the certificate as like a specific buyer by submitting the stolen corporate identities of legitimate owner.

- Advertisement - SIEM as a Service

Recorded Future’s Insikt Group investigated the criminal underground and identified vendors currently offering both code signing certificates and domain name registration with accompanying SSL certificates.

Now Antivirus detection capabilities improved and some AV companies implemented behavior analysis too. So cybercriminals started thinking about the second level of protection by signing the payload with legitimate codesigning certificates.

In March 2015 an advertisement from C@T(Underground market vendor) explained that the certificates are registered under legitimate corporations and issued by Comodo, Thawte, and Symantec — the largest and most respected issuers.

Researchers said, “According to C@T ads, the success rate of payload installations from signed files increases by 30 to 50 percent, and he even admitted to selling over 60 Abused Code-signing certificates in less than six months”.

Now after two years, researchers spotted three new vendors, the first not offering codesigning certificates anymore, the second vendor offering only the Standard Codesigning certificates.

Whereas the third vendor offering a range of products starting from standard codesigning to EV codesigning certificates and also in packages along with SSL Certificates.

Insikt Group effectively persuaded a seller to lead a trial, signing a provided payload executable of a formerly unreported Remote Access Trojan (RAT) with an as of late issued Comodo certificate.

Despite that test-subject files were encrypted beforehand, the results of the test demonstrated the superior effectiveness of code signed versions

While just eight antivirus suppliers effectively recognized the encrypted version of the payload, just two of them were compelling against the code signed version.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS...

ATPC Cyber Forum to Focus on Next Generation Cybersecurity and Artificial Intelligence Issues

White House National Cyber Director, CEOs, Key Financial Services Companies, Congressional and Executive Branch...

New PySilon RAT Abusing Discord Platform to Maintain Persistence

Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan...

Konni APT Hackers Attacking Organizations with New Spear-Phishing Tactics

The notorious Konni Advanced Persistent Threat (APT) group has intensified its cyber assault on...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Critical Atlassian Vulnerability Exploited To Connect Servers In Mining Networks

Hackers usually shift their attention towards Atlassian due to flaws in its software, especially...

Log4j Vulnerability Exploited Again To Deploy Crypto-Mining Malware

Recent attacks exploit the Log4j vulnerability (Log4Shell) by sending obfuscated LDAP requests to trigger...

Hackers Abused StackExchange Platform To Deliuver Malicious Python Package

Attackers uploaded malicious Python packages targeting Raydium and Solana users to PyPI, leveraging a...