Computer Security Warning: Digitally Signed Malware is On the Rise

Warning: Digitally Signed Malware is On the Rise

digitally signed malware increaseCode signing is, theoretically, a great tool for discriminating between legitimate executables and suspicious, potentially harmful malware. However, recent submissions to online threat databases show a worrying trend - an increasing number of real malware is being distributed with very real certificates issued from real authorities.

Over the course of roughly 12 months VirusTotal, a service that collects, catalogs and analyses threat samples using a variety of tools and methods, has accumulated nearly 4000 different pieces of malware that have all been digitally signed by legitimate certification authorities. The institutions issuing those certificates included Entrust, DigiCert, Go Daddy, GlobalSign, Sectigo and VeriSign. The data comes from a report published by Medium's Chronicle Blog.

There may be more Digitally-Signed Malware than originally thought

What is more, the numbers quoted are also considered quite conservative and may not be indicative of the real spread of digitally signed malware, since there were a number of restrictive criteria used in forming them. The 3,815 samples of signed malware were discovered when searching through only Windows portable executables and did not include any files that did not raise at least 15 detections from various engines.

As security researchers pointed out, digitally signed malware is a big deal as it allows serious threats to operate with ease in environments that otherwise have good security measures in place. The largest number of certificates issued to actual malware seemed to originate from Sectigo, formerly known under the name Comodo. More than half of the 3,815 detections had certification from Sectigo. This prevalence likely stems from the fact that Sectigo is also the largest certification authority among the bunch.

Bad actors are working with impunity, using throwaway LLC companies and buying certificates using those entities, not even pretending to be some established company. The certification authorities were quick to start revoking certificates issued to malware, with some working faster than others. The fact that bad actors have such immediate, easy access to code certification from legitimate authorities remains an issue that can only be taken care of by implementing more stringent due diligence rules and procedures.

Loading...