Threat actors using Abused Code-signing certificate from reputable companies as a layer of obfuscation in distributing malicious payloads.
Abused Codesigning certificates would provide integrity for an application and there are different classes of Codesigning certificates standard and Extended Validation.
Cybercriminals obtaining the certificate as like a specific buyer by submitting the stolen corporate identities of legitimate owner.
Recorded Future’s Insikt Group investigated the criminal underground and identified vendors currently offering both code signing certificates and domain name registration with accompanying SSL certificates.
Now Antivirus detection capabilities improved and some AV companies implemented behavior analysis too. So cybercriminals started thinking about the second level of protection by signing the payload with legitimate codesigning certificates.
In March 2015 an advertisement from C@T(Underground market vendor) explained that the certificates are registered under legitimate corporations and issued by Comodo, Thawte, and Symantec — the largest and most respected issuers.
Researchers said, “According to C@T ads, the success rate of payload installations from signed files increases by 30 to 50 percent, and he even admitted to selling over 60 Abused Code-signing certificates in less than six months”.
Now after two years, researchers spotted three new vendors, the first not offering codesigning certificates anymore, the second vendor offering only the Standard Codesigning certificates.
Whereas the third vendor offering a range of products starting from standard codesigning to EV codesigning certificates and also in packages along with SSL Certificates.
Insikt Group effectively persuaded a seller to lead a trial, signing a provided payload executable of a formerly unreported Remote Access Trojan (RAT) with an as of late issued Comodo certificate.
Despite that test-subject files were encrypted beforehand, the results of the test demonstrated the superior effectiveness of code signed versions
While just eight antivirus suppliers effectively recognized the encrypted version of the payload, just two of them were compelling against the code signed version.
