Security researchers have discovered that hackers are able to obfuscate malware through code signing and SSL certificates. According to a new report by Recorded Future, researchers have discovered that dark web vendors are offering made to order certificates which are registered using stolen corporate identities.
In a blog post, Andrei Barysevich, Recorded Future's director of Advanced Collection, said that in 2017 security researchers around the world started seeing a sudden increase in code
signing certificates being used as a layered obfuscation technique for malicious payload
Investigations by Recorded Future's Insikt Group found that while the earliest use of stolen code certificates in 2011, it was not until 2015 that code signing certificates became widely available in the criminal underground.
Insikt Group identified four well-known vendors of such products since 2011; only two vendors are currently soliciting their services to Russian-speaking hackers. It said the most affordable version of a code signing certificate costs US$ 299 (£214), but the most comprehensive Extended Validation (EV) certificate with a SmartScreen reputation rating is listed for US$ 1,599 (£1,143). The starting price of a domain name registration with EV SSL certificate is US$ 349 (£249).
Barysevich said that all certificates are issued by reputable companies, such as Comodo, Thawte, and Symantec, and have proved to be extremely effective in malware obfuscation. “We believe that legitimate business owners are unaware that their data was used in the illicit activities,” he added.
“It's been generally accepted that security certificates circulating in the criminal underground were stolen from legitimate owners prior being used in nefarious campaigns. However, our most recent analysis indicates this is not the case. We have confirmed – with a high degree of certainty – that counterfeit certificates are created for specific buyers, per request, only and registered using stolen corporate identities,” said Barysevich.
“It's our belief that the legitimate business owners are completely unaware that their data was or is being used in these illicit activities. While we don't anticipate the widespread use of counterfeit credentials, we do believe that sophisticated actors with specific targets will continue to rely on fake code signing and SSL certificates as a part of their operations."
He said that network security appliances which were carrying out deep packet inspection became less effective when legitimate SSL/TLS traffic was initiated by a malicious implant.
"Netflow (packet headers) analysis is an important control toward reducing risk, as host-based controls may also be rendered ineffective by legitimate code signing certificates," he added.
He said that one of the first vendors to offer counterfeit code signing certificates was known as C@T, a member of a prolific hacking messaging board. In March 2015, C@T offered for sale a Microsoft Authenticode capable of signing 32/64b versions of various executable files, as well as Microsoft Office, Microsoft VBA, Netscape Object Signing, and Marimba Channel
Signing documents, and supported Silverlight 4 applications. Additionally, Apple code
signing certificates were also available.
"In his advertisement, C@T explained that the certificates are registered under legitimate corporations and issued by Comodo, Thawte, and Symantec—the largest and most respected issuers," said Barysevich. "The seller indicated that each certificate is unique and will only be assigned to a single buyer, which could be easily verified via HerdProtect.com. According to C@T, the success rate of payload installations from signed files increases by 30 to 50 percent, and he even admitted to selling over 60 certificates in less than six months."
Over time, C@T saw sales dwindle and failed to appeal to a broad client base
because of prohibitive costs, in some cases demanding upwards of US$ 1,000 (£715) per certificate, when other more affordable and reliable payload obfuscation methods were still available.
A rival service offered standard code signing certificates issued by Comodo that do not include SmartScreen reputation rating cost US$ 295 (£211). A buyer interested in the most trusted version of an EV certificate issued by Symantec would have to pay US$ 1,599 (£1,143), a 230 percent premium compared to the price of the authentic certificate. For those seeking to purchase in bulk, fully authenticated domains with EV SSL encryption and code signing capabilities could also be arranged for US$ 1,799 (£1,287).
"According to the information provided by both sellers during a private conversation, to guarantee the issuance and lifespan of the products, all certificates are registered using the information of real corporations," said Barysevich. "With a high degree of confidence, we believe that the legitimate business owners are unaware that their data was used in the illicit activities. It is important to note that all certificates are created for each buyer individually with the average delivery time of two to four days."
The researchers managed to convinced a vendor to conduct a trial, signing a provided payload executable of a previously unreported Remote Access Trojan (RAT) with a recently issued Comodo certificate. Only eight antivirus providers successfully detected the encrypted version of the payload, only two of them were effective against the code signed version.
"More disturbing results surfaced after the same test was conducted for a non-resident version of the payload," said Barysevich. "In that case, only six companies were capable of detecting an encrypted version, and only Endgame protection recognised the file as malicious."
Chris Doman, security researcher at AlienVault, told SC Media UK that currently many security vendors treat signed software as trusted, on the assumption that obtaining a certificate is difficult for bad actors. “In fact, as this research shows, it's very easy.
Short of the certificate authorities upping their validations, security vendors will have to start seeing signed software as less of an indicator of trust. The end result will likely be more false positives in your security software,” he said.
Liviu Arsene, senior e-threat analyst at Bitdefender, told SC Media UK that it is very difficult for an organisation to prevent this kind of attack (ie having a certificate with its name issued to a third party) because the flaw resides with the certificate entity that issues it.
“They should be able to identify and block fake certificate requests and ensure they do not expose the legitimate business to impersonation,” he said.