Researcher finds digital certificate fraud used to spread malware

A new certificate fraud scheme involves a threat actor impersonating company execs to purchase certs which are then resold to those looking to spread malware.

A security research firm says a new digital certificate fraud scheme impersonates key figures in organizations.

Tomislav Pericin, co-founder and chief architect for ReversingLabs, discovered a new threat actor who has been impersonating company executives -- specifically those in the software industry -- in order to trick certificate authorities (CAs) into issuing code-signing certificates. The threat actor then resells those certificates on the black market to cybercriminals looking to use them to spread malware.

"There's little threat actors wouldn't do to appear as legitimate entities. While stolen certificates get a lot of public attention, there's also a quieter side of the malware business -- stolen identities," Pericin wrote in a blog post. "Sometimes these two can become intertwined."

According to Pericin, the certificate fraud scheme begins with the threat actor choosing a target to impersonate who is "well-established in their industry, with easily verifiable history" and someone who can be easily linked to their place of employment in order to fool the CA identity validation.

The threat actor then builds infrastructure to make the impersonation appear more legitimate, including registering a convincing domain, which Pericin said has been made easier in the EU due to the GDPR.

"Since GDPR legislation came into effect, most EU domain registrars have agreed that WHOIS records are considered private and personally identifiable information. This makes knowing the true identity behind the registered domain name subject to a data release process," Pericin wrote. "Those are things slightly more important than certificate authority identity verification, yet sadly, that leaves them with an exploitable blindspot."

Pericin told SearchSecurity that CAs are at risk for this type of certificate fraud because "CAs are under constant pressure to issue certificates as fast as possible."

The usual three-to-five business day turnaround for a code-signing certificate purchase can be insufficient to do thorough checks.
Tomislav PericinCo-founder and chief architect, ReversingLabs

"The usual three-to-five business day turnaround for a code-signing certificate purchase can be insufficient to do thorough checks," Pericin said. "Attackers such as this one take advantage of this and make the identity validation quite believable."

Once this infrastructure is in place, the threat actor buys a code-signing certificate, tests it and then resells it on the black market to someone looking to spread malware. The first malicious file with a code-signing certificate that Pericin discovered was OpenSUpdater, a well-known adware program.

"Extended validation certificates are extremely valuable to adware spreading groups," Pericin wrote. "Files signed with this type of certificate bypass Microsoft SmartScreen protection and allow signed programs to execute with no warnings about the possible unsafe file origins."

While only one CA was mentioned in Pericin's research, he told SearchSecurity that there is evidence showing "threat actor using the same approach against other CAs as well."

Pericin added that "organizations that invest less in their brand protection are more susceptible to these kinds of attacks."

"Since these threats are external to the organization, it is impossible to detect them with internal security measures," Pericin said. "The best advice we can give out at this time is to invest in brand protection. To register domains that are easily mistaken with the brand owner ahead of time. If possible, to monitor the web for mentions of their brand in the context of malware misuse."

Dig Deeper on Identity and access management

Enterprise Desktop
Cloud Computing