September 9, 2015 By Limor Kessem 10 min read

The fraud underground is a vivid dark market replete with services, commodities and information sharing, providing cybercriminals with just about any help they may need for their misdoings.

Alongside the usual malware vendors and fraud scam chatter, one recent phenomenon IBM Security X-Force researchers have been tracking is certificates-as-a-service (CaaS). Cybercriminals obtain high-grade code signing certificates from trusted cert authorities and then sell them on demand through Dark Web e-commerce sites to anyone who will pay.

IBM Security X-Force researchers note seeing a considerable hike in the sale of code signing certificates in the underground in the past few months. Further investigation of this phenomenon reveals findings that add to the understanding of why the use of signed malware has increased threefold in the past four years alone. They also provide some best practices on how to check that certificates can be trusted at a time when trust is increasingly fragile.

A Bit About Certificates

Code signing certificates are files containing a digital signature that can be used to sign files such as executables and scripts. Certificates were created to generate trust and validation in software or code that you run on your machine. They are there to indicate:

  • This file came from a trusted source.
  • This file was not tampered with before you received it.
  • This file’s origin is openly known to you, and you can validate its creator.

Certificates are issued by certification authorities (CAs) and come in different grades according to the entity that issues them. They are granted to identifiable entities, or companies, that generate code, protocols or software, allowing them to sign their code and indicate it is legitimate and original.

While in the past certificates were issued only to large software vendors, today smaller firms and individual application developers use them, as well. Reports on the subject show that the sheer number of certificates in circulation has increased from about 20,000 in 2007 to over 150,000 certificates in 2015.

Some examples of the most well-known CAs that issue certificates are Symantec and WebTrust. These authorities issue Class 1 certificates, which are considered the most trusted. There are also Class 2 CAs that issue certificates for commercial purposes, such as GoDaddy, DigiCert, Comodo, Entrust and others.

Beyond basic certification, in cases where a heightened level of security is needed, a digital certificate issued by one CA is used to sign the public key for the root certificate of another CA. This is termed cross-certification, and it provides a means to create a chain of trust from a single trusted root CA to multiple other CAs.

Why Do Certificates Matter?

Code signing certificates are the digital equivalent of the shrink-wrap or hologram seal used on real-world software packages to authenticate them as genuine and assure the user they come from the trusted publisher. As such, certificates are checked by the operating system (OS), granting different types of files, drivers and scripts the ability to operate inside the OS.

Browsers, antivirus engines and other security tools also check new files for a valid certificate before they allow them to install and alert the user if the file is not signed. An unsigned file receives more restrictive treatment on the system in terms of the processes it will be able to automatically carry out.

Most relevant within the context of malware and threats are code signing certificates for Microsoft Authenticode, which digitally sign 32-bit or 64-bit user modes (.exe, .cab, .dll, .ocx, .msi, .xpi and .xap files) and kernel-mode software.

It’s probably easy to understand at this point why cybercriminals would want to have a valid certificate to sign malware before delivering it to an endpoint: It is a means of providing malcode with a higher level of trust on a user’s machine or server, helping it evade protection mechanisms it will encounter on its way. Cybercriminals can use certificates to legitimize almost any code they use — and they do.

How Criminals Use Signed Malware

Using certificates to sign malcode is routine for those attempting to keep it looking as legitimate as possible, and it is usually done with stolen certificates.

Some of the most common illicit ways to obtain code signing certificates entail stealing certificates’ private keys using Trojan horses or — the more advanced, sophisticated approach — by attempting to compromise the certificate key builder of software vendors. The latter is of course the rarer option, but it is nonetheless a means for advanced and targeted actors.

Signed malicious files can be part of complicated operations. Stuxnet used certificates stolen from Realtek and JMicron, and Duqu abused stolen Foxconn certificates. A high-profile commercial attack used Sony’s certificates to sign the Destover malware and then reused it to attack Sony Pictures. Still, in the bulk of cases, signed malware is used in less sophisticated scenarios, like financial cybercrime, which is also the most prevalent attack type that abuses them.

Some examples where signed financial malware made the rounds include the Cryptowall ransomware that was signed by a well-known CA, POS malware spread during the 2014 holiday season and banking Trojans that were signed with HP’s private key after malware made it into a developer’s endpoint. But perhaps the most interesting example is also the most recent and bigger threat: The Carbanak Trojan gang, a billion-dollar cyber heist machine, just resurfaced with signed malware files! The gang has apparently been able to obtain a certificate issued by a trusted authority with which to sign their malware.

In January 2015, a Kaspersky Lab report noted that while researchers detected about 1,500 certificates signing malware back in 2008, they saw four times as many certificates — over 6,000 of them — sign malware in 2014.

Overall, the signed malware phenomenon relies on the theft of certificates unbeknownst to their rightful owner. They can remain in circulation and be deemed trusted, but only until someone finds that malicious actors are abusing them — which is exactly what happened when X-Force researchers discovered a suspicious certificate being peddled by cybercriminals in the underground.

Suspicious Certificates in the Wild

Upon the discovery of a seemingly legitimate certificate that was being used by fraudsters, the first logical possibility our researchers thought about was that it was stolen from its rightful owner.

The code signing certificate was being used as proof of integrity by a dubious vendor selling them to fellow cybercriminals. This was a valid, trusted certificate issued by a Class 2 CA from a well-known commercial vendor. The certificate was fully usable — easy to sign any program or application with.

Seeing as the certificate was indeed valid at the time, the next step was to contact its owner and advise them that it must have been stolen and was being offered up to cybercriminals in the wild.

Another important step is the disclosure of the problem to the CA that issued the certificate. This ensures the CA looks into the matter and is aware of the potential of theft of a customer’s certificate.

Since the certificate was in the hands of cybercriminals to resell and use, IBM Security X-Force researchers took on the task of looking up more information about the company it belonged to in order to disclose the issue to other competent responders.

The certificate indicated that it belonged to a certain small company registered in the U.K. Open source search results brought up the company’s registration number, showing its official address and the fact it has been active for about a year and a half as of July 2015.

The nature of the company’s business was not made public, nor did it show any activity since its incorporation. However, if it is the sort of business that needs digital certificates, then one could assume it most likely sells software or another code-based product.

But searching for a website for the company did not bring up any results, although it has allegedly existed for over two years and, again, sells software of some sort.

The postal address to communicate with the owner is shared by no less than 928 other companies — a rather peculiar fact based on Google Maps showing that it is physically located in a residential area in a small Scotland town in the Fife district.

Starting to look surprising? Maybe not so much. Seeing as the certificate at hand was being peddled by a fraudster, is it possible that dummy corporations registered by cybercriminals are then used to issue bank accounts, checks and even code signing certificates? The mysterious company in this case could be a front for the purpose of cybercrime.

Separating legitimate enterprises from dummy companies can be rather difficult because criminals take the necessary steps to appear authentic. For example, a company that operates in a small Scottish town, in the same postal code as 928 other companies, none of which has a website or phone number, may not be flagged as suspicious.

It is only when one discovers that the company is signing code with a valid certificate but has no other trace or indication of the nature of its business that a red flag is raised. A legitimate organization that sells software of any sort would at least have a website or show activity online linked with its name if it existed.

Hot Underground Trend: Code Signing Certificates for Sale

After finding the suspicious certificate, X-Force researchers went deeper into the investigation of what turned out to be an increasingly popular trend in the underground: the sale of large amounts of code signing certificates to and by cybercriminals.

As the research progressed, it was insightful to learn that the certificate selling phenomenon has grown considerably, with over a dozen vendors selling certificates in any given venue. Certificates have evolved into a commodity in the underground, sold without limitations to anyone who will pay.

Looking into a number of sources, IBM Security X-Force researchers provided a rather telling screen capture of one certificate vendor’s website, detailing the offerings he can supply.

In hopes of appearing legitimate to potential buyers or law enforcement, the vendor makes some ridiculous claims, stating that “thanks to active cooperation with the sellers of certificates,” he can provide the lowest prices in the market. But which sellers? And which market? Clearly the cybercrime market that buys the certificates and then resells them for a profit.

Note that this shop offers a number of types of certificates, including cross-certification. Cross-certifying is used for Kernel-Mode Code Signing — the most privileged level on the OS. Having this level of certificate sold to criminals can easily lead to dangerous situations for the entities they will later target with signed malcode.

Unlike the correct practice for selling certificates, the vendor only accepts payment in bitcoin — a telling sign that he has no intention of checking whom he sells these certificates to.

Stolen or Bought? Virtual Dark Markets and Real-World Crime

The more interesting points in this vendor’s post appeared in Russian, where he clearly indicated that his certificates are not stolen and are registered to existing persons and companies.

What person or company would knowingly allow the sale of a digital certificate in their name to cybercriminals? And how come there are so many of them?

There is no logical way for cybercriminals to manage to steal so many legitimate certificates quickly enough to continuously supply their buyers. Judging by the momentum the certificate market has been gaining in the underground, there has to be a third way that is quickly gaining popularity. When sudden surges arise in the underground, it is almost always the result of fraudsters finding a new way to make a quick buck with little effort.

The most likely answer here is that the companies for which the plethora of certificates are being issued do not exist. The vendor registers certificates using identity theft and company information that does not belong to him, or maybe sets up dummy corporations — say, 928 of them in one postal code — and then buys certificates in their names.

Broken Trust

The phenomenon of stolen certificates being used to sign malware is one issue that is already preventing OSs and security solutions from being able to completely trust signed files. While certification is a means to increase trust, it is evident that cybercriminals and advanced threat adversaries are abusing this trust to their own advantage.

More than the theft of certificates, which is eventually discovered and ends in the revocation of the certificate, the phenomenon of criminals buying certificates for fake or unaware companies is a much greater threat. Certificates that are issued to nonexistent entities and then used to sign malware break the basic trust certificates are made for.

Reporting suspicious certificates to their owner is unlikely to result in revocation. Similarly, reporting them to the issuing CA may not necessarily result in any concrete action to investigate the matter or put an end to it because the company features the information needed to appear real. Even in the face of actual proof that a certificate is being used to sign malicious code, if its owner has checked out as a legitimate organization at the registration phase and the user account is intact, it may not be further examined thereafter.

While certificates on their own are a proper means to encrypt and sign code, the supporting verification infrastructure that is supposed to provide assurance is lacking. The result is a burgeoning black market for shady certificates, producing chinks in the armor of trust we should grant signed files.

Some Recommendations

Trusting code-signed certificates is becoming increasingly risky, requiring added layers of security to protect from the deepest parts of the OS — the kernel — to its user-mode levels. As this threat becomes more appreciable, it calls for new measures of verification that would allow us to keep intruders out while still trusting code from legitimate vendors.

Here are some tips that can help:

  • As trivial as this may seem, the first and foremost best practice is to keep a fully updated OS and browser application at all times. Updates often include important security patches that change how signatures are verified for binaries launched on your devices. This is even more important now that Microsoft plans on deploying one Windows OS across all platforms.
  • Your OS already contains the identifiers of a number of trusted CAs. These are called root certificates, which means that any file signed by that authority will be trusted. Due to the privilege level root certs receive, it is highly recommended not to add any new CAs to this zone unless you are a security professional who knows the implications of such changes.
  • While scenarios vary, stolen code signing certificates are most often robbed from small or lone developers whose systems were compromised. The same goes for certificates issued to fake companies. By banning files that come from unknown developers, you can filter out most of the high-risk files that cybercriminals sign and distribute.
  • Checking a certificate’s validity and owner name is good, but it is important to verify additional attributes in case it was stolen from a well-known vendor. One unique identifier you can verify is the certificate’s hash sum. Digital signing of software begins with the creation of a cryptographic hash of the file being signed. Even a small change in the original data would result in a significant change in the hash value.
  • System administrators should keep a list of trusted certificates and update it regularly. Some security vendors will provide a list of certificates you should no longer trust, even if they are still in circulation.
  • Deploy endpoint security solutions that layer numerous file verifications and can prevent the deployment of advanced malware and unknown threats.

More from Threat Intelligence

Strela Stealer: Today’s invoice is tomorrow’s phish

12 min read - As of November 2024, IBM X-Force has tracked ongoing Hive0145 campaigns delivering Strela Stealer malware to victims throughout Europe - primarily Spain, Germany and Ukraine. The phishing emails used in these campaigns are real invoice notifications, which have been stolen through previously exfiltrated email credentials. Strela Stealer is designed to extract user credentials stored in Microsoft Outlook and Mozilla Thunderbird. During the past 18 months, the group tested various techniques to enhance its operation's effectiveness. Hive0145 is likely to be…

Hive0147 serving juicy Picanha with a side of Mekotio

17 min read - IBM X-Force tracks multiple threat actors operating within the flourishing Latin American (LATAM) threat landscape. X-Force has observed Hive0147 to be one of the most active threat groups operating in the region, targeting employee inboxes at scale, with a primary focus on phishing and malware distribution. After a 3-month break, Hive0147 returned in July with even larger campaign volumes, and the debut of a new malicious downloader X-Force named "Picanha,” likely under continued development, deploying the Mekotio banking trojan. Hive0147…

FYSA – Critical RCE Flaw in GNU-Linux Systems

2 min read - Summary The first of a series of blog posts has been published detailing a vulnerability in the Common Unix Printing System (CUPS), which purportedly allows attackers to gain remote access to UNIX-based systems. The vulnerability, which affects various UNIX-based operating systems, can be exploited by sending a specially crafted HTTP request to the CUPS service. Threat Topography Threat Type: Remote code execution vulnerability in CUPS service Industries Impacted: UNIX-based systems across various industries, including but not limited to, finance, healthcare,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today