Threat actors using Abused Code-signing certificate from reputable companies as a layer of obfuscation in distributing malicious payloads.
Abused Codesigning certificates would provide integrity for an application and there are different classes of Codesigning certificates standard and Extended Validation.
Cybercriminals obtaining the certificate as like a specific buyer by submitting the stolen corporate identities of legitimate owner.
Recorded Future’s Insikt Group investigated the criminal underground and identified vendors currently offering both code signing certificates and domain name registration with accompanying SSL certificates.
Now Antivirus detection capabilities improved and some AV companies implemented behavior analysis too. So cybercriminals started thinking about the second level of protection by signing the payload with legitimate codesigning certificates.
In March 2015 an advertisement from C@T(Underground market vendor) explained that the certificates are registered under legitimate corporations and issued by Comodo, Thawte, and Symantec — the largest and most respected issuers.
Researchers said, “According to C@T ads, the success rate of payload installations from signed files increases by 30 to 50 percent, and he even admitted to selling over 60 Abused Code-signing certificates in less than six months”.
Now after two years, researchers spotted three new vendors, the first not offering codesigning certificates anymore, the second vendor offering only the Standard Codesigning certificates.
Whereas the third vendor offering a range of products starting from standard codesigning to EV codesigning certificates and also in packages along with SSL Certificates.
Insikt Group effectively persuaded a seller to lead a trial, signing a provided payload executable of a formerly unreported Remote Access Trojan (RAT) with an as of late issued Comodo certificate.
Despite that test-subject files were encrypted beforehand, the results of the test demonstrated the superior effectiveness of code signed versions
While just eight antivirus suppliers effectively recognized the encrypted version of the payload, just two of them were compelling against the code signed version.
The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS devices.…
White House National Cyber Director, CEOs, Key Financial Services Companies, Congressional and Executive Branch Experts…
Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan exploits…
The notorious Konni Advanced Persistent Threat (APT) group has intensified its cyber assault on organizations…
Google has updated its Chrome browser, addressing critical vulnerabilities that posed potential risks to millions…
WrnRAT is a new malware attack that cybercriminals have deployed by using popular gambling games…