2017 saw a sudden increase in code signing certificates being used as a layered obfuscation technique to deliver malicious payloads.
Recorded Future's Insikt Group has been investigating the criminal underground and has identified a number of vendors currently offering both code signing certificates and domain name registration with accompanying SSL certificates.
Particularly interesting is that researchers have found that certificates available on the digital underground are not stolen from legitimate owners, but are created for a specific buyer on request and are registered using stolen corporate identities, making traditional network security appliances less effective at detecting them.
"It's been generally accepted that security certificates circulating in the criminal underground were stolen from legitimate owners prior being used in nefarious campaigns," says Andrei Barysevich, director of advanced collection at Recorded Future. "However, our most recent analysis indicates this is not the case. We have confirmed -- with a high degree of certainty -- that counterfeit certificates are created for specific buyers, per request, only and registered using stolen corporate identities. It's our belief that the legitimate business owners are completely unaware that their data was or is being used in these illicit activities. While we don't anticipate the widespread use of counterfeit credentials, we do believe that sophisticated actors with specific targets will continue to rely on fake code signing and SSL certificates as a part of their operations."
Standard code signing certificates are being traded for $295 with the most trusted Extended Validation (EV) certificates costing upwards of $1,500. EV SSL certificates start from $349, making this a lucrative business for the people behind it.
More information about the findings can be found on the Recorded Future website.