Counterfeit code-signing certs more prevalent, but cost a deterrent

In a report, the company's Andrei Barysevich said a rise in code signing certificates being used as a layered obfuscation technique for distributing malicious payloads had been observed in 2017.

As a result of this, Recorded Future's Insikt Group undertook an investigation of the underground and found vendors who were offering both code-signing certificates and domain name registrations with the accompanying SSL certificates.

Barysevich said though there was a belief that security certificates existing in the criminal underground were stolen from the original owners, this was not the case; rather, it had been found that such certificates were created for specific buyers and were registered using stolen corporate identities.

{loadposition sam08}This had the effect of rendering traditional network security appliances of little use.

Barysevich said the earliest use of a stolen code certificate was in 2011, presumably in the Stuxnet malware which was a joint US-Israel effort that ended up putting a serious dent in Iran's nuclear programme.

Since then, the Insikt Group had identified four well-known vendors of stolen code certificates with two offering their services to Russian-speaking attackers.

In cost terms, Barysevich said the most affordable version of a code-signing certificate cost US$299. But the most comprehensive Extended Validation certificate with a SmartScreen reputation was much more expensive – US$1599.

The starting price for a domain name registration with an EV SSL certificate was US$349.

Barysevich said all these certificates were issued by companies that had a good name — Comodo, Thawte and Symantec — and had proved to be very effective in malware obfuscation.

"We believe that legitimate business owners are unaware that their data was used in the illicit activities," he said.

He pointed out that network security appliances which were carrying out deep packet inspection became less effective when legitimate SSL/TLS traffic was initiated by a malicious implant.

"Netflow (packet headers) analysis is an important control toward reducing risk, as host-based controls may also be rendered ineffective by legitimate code signing certificates," he said.

One of the first vendors to offer counterfeit code-signing certificates was known as C@T and was a member of a busy hacking messaging board.

"In March 2015, C@T offered for sale a Microsoft Authenticode capable of signing 32/64b versions of various executable files, as well as Microsoft Office, Microsoft VBA, Netscape Object Signing, and Marimba Channel Signing documents, and supported Silverlight 4 applications. Additionally, Apple code signing certificates were also available," Barysevich said.

About two years later, three new faces appeared on the scene and started doing business, mainly in the Eastern European underground. One had moved on to other activities, but two were still around and carrying on the same trade.

"According to the information provided by both sellers during a private conversation, to guarantee the issuance and lifespan of the products, all certificates are registered using the information of real corporations," Barysevich said.

"With a high degree of confidence, we believe that the legitimate business owners are unaware that their data was used in the illicit activities. It is important to note that all certificates are created for each buyer individually with the average delivery time of two to four days."

Barysevich said unlike ordinary crypting services which were readily available at US$10 to US$30 per encryption, "we do not anticipate counterfeit certificates becoming a mainstream staple of cyber crime due to their prohibitive cost".

"However, undoubtedly, more sophisticated actors and nation-state actors who are engaged in less widespread and more targeted attacks will continue using fake code signing and SSL certificates in their operations."

Screenshot: courtesy Recorded Future