Saturday, April 13, 2024

Hackers Illegally Purchasing Abused Code-signing & SSL Certificates From Underground Market

Threat actors using Abused Code-signing certificate from reputable companies as a layer of obfuscation in distributing malicious payloads.

Abused Codesigning certificates would provide integrity for an application and there are different classes of Codesigning certificates standard and Extended Validation.

Cybercriminals obtaining the certificate as like a specific buyer by submitting the stolen corporate identities of legitimate owner.

Recorded Future’s Insikt Group investigated the criminal underground and identified vendors currently offering both code signing certificates and domain name registration with accompanying SSL certificates.

Now Antivirus detection capabilities improved and some AV companies implemented behavior analysis too. So cybercriminals started thinking about the second level of protection by signing the payload with legitimate codesigning certificates.

In March 2015 an advertisement from C@T(Underground market vendor) explained that the certificates are registered under legitimate corporations and issued by Comodo, Thawte, and Symantec — the largest and most respected issuers.

Researchers said, “According to C@T ads, the success rate of payload installations from signed files increases by 30 to 50 percent, and he even admitted to selling over 60 Abused Code-signing certificates in less than six months”.

Now after two years, researchers spotted three new vendors, the first not offering codesigning certificates anymore, the second vendor offering only the Standard Codesigning certificates.

Whereas the third vendor offering a range of products starting from standard codesigning to EV codesigning certificates and also in packages along with SSL Certificates.

Insikt Group effectively persuaded a seller to lead a trial, signing a provided payload executable of a formerly unreported Remote Access Trojan (RAT) with an as of late issued Comodo certificate.

Despite that test-subject files were encrypted beforehand, the results of the test demonstrated the superior effectiveness of code signed versions

While just eight antivirus suppliers effectively recognized the encrypted version of the payload, just two of them were compelling against the code signed version.


Latest articles

Alert! Palo Alto RCE Zero-day Vulnerability Actively Exploited in the Wild

In a recent security bulletin, Palo Alto Networks disclosed a critical vulnerability in its...

6-year-old Lighttpd Flaw Impacts Intel And Lenovo Servers

The software supply chain is filled with various challenges, such as untracked security vulnerabilities...

Hackers Employ Deepfake Technology To Impersonate as LastPass CEO

A LastPass employee recently became the target of an attempted fraud involving sophisticated audio...

Sisence Data Breach, CISA Urges To Reset Login Credentials

In response to a recent data breach at Sisense, a provider of data analytics...

DuckDuckGo Launches Privacy Pro: 3-in-1 service With VPN

DuckDuckGo has launched Privacy Pro, a new subscription service that promises to enhance user...

Cyber Attack Surge by 28%:Education Sector at High Risk

In Q1 2024, Check Point Research (CPR) witnessed a notable increase in the average...

Midnight Blizzard’s Microsoft Corporate Email Hack Threatens Federal Agencies: CISA Warns

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive concerning a...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Top 3 SME Attack Vectors

Securing the Top 3 SME Attack Vectors

Cybercriminals are laying siege to small-to-medium enterprises (SMEs) across sectors. 73% of SMEs know they were breached in 2023. The real rate could be closer to 100%.

  • Stolen credentials
  • Phishing
  • Exploitation of vulnerabilities

Related Articles