Certificates registered in names of real corporations are surprisingly easy to come by. Counterfeit certificates that generate such fraudulent signatures are being sold online for use in other malware.
In many cases, the certificates are required to install software on Windows and macOS computers, while in others, they prevent the OSes from displaying warnings that the software comes from an untrusted developer. The certificates also increase the chances that antivirus programs won’t flag previously unseen files as malicious.
A report published by threat intelligence provider Recorded Future said that starting last year, researchers saw a sudden increase in fraudulent certificates issued by browser- and operating system-trusted providers that were being used to sign malicious wares. The spike drove Recorded Future researchers to investigate the cause. What they found was surprising.
“Contrary to a common belief that the security certificates circulating in the criminal underground are stolen from legitimate owners prior to being used in nefarious campaigns, we confirmed with a high degree of certainty that the certificates are created for a specific buyer per request only and are registered using stolen corporate identities, making traditional network security appliances less effective,” Andrei Barysevich, a researcher at Recorded Future, reported.
Barysevich identified four such sellers of counterfeit certificates since 2011. Two of them remain in business today. The sellers offered a variety of options. In 2014, one provider calling himself C@T advertised certificates that used a Microsoft technology known as Authenticode for signing executable files and programming scripts that can install software. C@T offered code-signing certificates for macOS apps as well. His fee: upwards of $1,000 per certificate.
“In his advertisement, C@T explained that the certificates are registered under legitimate corporations and issued by Comodo, Thawte, and Symantec—the largest and most respected issuers,” the report said. “The seller indicated that each certificate is unique and will only be assigned to a single buyer, which could be easily verified via HerdProtect.com. According to C@T, the success rate of payload installations from signed files increases by 30 to 50 percent, and he even admitted to selling over 60 certificates in less than six months.”
The fraudulent certificates passed the SmartScreen validation check various Microsoft software performs to protect users against malicious apps.