Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Comodo Issued Most Certificates for Signed Malware on VirusTotal

Comodo CA (now known as Sectigo) is the Certificate Authority (CA) that issued the largest number of digital certificates used to sign malware samples found on VirusTotal over the past year, Chronicle’s security researchers have discovered. 

Comodo CA (now known as Sectigo) is the Certificate Authority (CA) that issued the largest number of digital certificates used to sign malware samples found on VirusTotal over the past year, Chronicle’s security researchers have discovered. 

Data collected within a 365 day span (with an initial start date of May 7, 2019) revealed that, out of a total of 3,815 signed malware samples, 1,775 used a digital certificate issued by Comodo RSA Code Signing CA. 

The process of cryptographically signing code was meant to provide an operating system with the means to discriminate between legitimate and potentially malicious software. The system relies on a chain of trust, where certificates are issued by trusted CAs that have the backing of a trusted parent CA. 

Malware authors are taking advantage of this inherited trust model to purchase certificates directly or via resellers. Regardless of how the purchase is made, there is a lack of due diligence into customers, Chronicle says. 

At the moment, the researchers note, the only real tool to combat certificate abuse is the revocation of that certificate, a process through which the CA says the certificate is no longer trustworthy, and which introduces a delay in which the signed malware may be considered “trusted”.

For their investigation, Chronicle’s security researchers looked on VirusTotal at signed Windows PE Executable files, filtered out a large number of samples and grayware files, and then identified the CA responsible for each of the samples. 

Their analysis revealed that Comodo was responsible for the largest number of signed samples, at 1,775, with thawte at 509, VeriSign at 261, Sectigo (formerly Comodo) at 182, Symantec at 131, and DigiCert at 118 rounding up the list of CAs that issued over 100 certificates for malware. 

“CAs who signed certificates of 100 or more malware samples account for nearly 78% of signed samples uploaded to VirusTotal,” Chronicle underlines. 

“The CA with the most samples has nearly 3.5x more samples than the next highest which in turn has almost 2x more than the next highest. The pattern quickly falls off as we move down the line of the top 10 CAs issuing abused certificates,” the security researchers continue.

The investigation also revealed that 21% of samples had their certificates revoked by May 8, 2019, which indicates that the CAs are taking some action. 

“Note that for the revocation of a certificate to be reflected in the VirusTotal dataset, the sample must be rescanned following the revocation request by the responsible CA,” the researchers note. 

The increasing abuse of code signing certificate by financially motivated threat actors shows that trust based security is flawed. Operators of crime-focused malware too have access to code signing certificates, something that was previously available only to nation-state threat actors, which used to steal code signing certificates from victims. 

“Expect to see signed malware reported more frequently,” Chronicle says. 

“As a policy, Sectigo revokes certificates used in malware attacks and does not issue them to known malware purveyors,” Tim Callan, Sectigo’s Senior Fellow, told SecurityWeek. “At its last general meeting, the CA/Browser Forum voted to establish a Working Group specifically for code signing. This Working Group is looking into responses to malware signing among other matters. We encourage security researchers to report instances of malware employing Sectigo certificates at [email protected]” 

*Updated with comment from Sectigo. 

Related: Hackers Using Stolen D-Link Certificates for Malware Signing

Related: Use of Fake Code Signing Certificates in Malware Surges

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


More than 3,800 servers around the world have been compromised in recent ESXiArgs ransomware attacks, which also include an improved process.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.