Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Comodo Issued Most Certificates for Signed Malware on VirusTotal

Comodo CA (now known as Sectigo) is the Certificate Authority (CA) that issued the largest number of digital certificates used to sign malware samples found on VirusTotal over the past year, Chronicle’s security researchers have discovered. 

Comodo CA (now known as Sectigo) is the Certificate Authority (CA) that issued the largest number of digital certificates used to sign malware samples found on VirusTotal over the past year, Chronicle’s security researchers have discovered. 

Data collected within a 365 day span (with an initial start date of May 7, 2019) revealed that, out of a total of 3,815 signed malware samples, 1,775 used a digital certificate issued by Comodo RSA Code Signing CA. 

The process of cryptographically signing code was meant to provide an operating system with the means to discriminate between legitimate and potentially malicious software. The system relies on a chain of trust, where certificates are issued by trusted CAs that have the backing of a trusted parent CA. 

Malware authors are taking advantage of this inherited trust model to purchase certificates directly or via resellers. Regardless of how the purchase is made, there is a lack of due diligence into customers, Chronicle says. 

At the moment, the researchers note, the only real tool to combat certificate abuse is the revocation of that certificate, a process through which the CA says the certificate is no longer trustworthy, and which introduces a delay in which the signed malware may be considered “trusted”.

For their investigation, Chronicle’s security researchers looked on VirusTotal at signed Windows PE Executable files, filtered out a large number of samples and grayware files, and then identified the CA responsible for each of the samples. 

Their analysis revealed that Comodo was responsible for the largest number of signed samples, at 1,775, with thawte at 509, VeriSign at 261, Sectigo (formerly Comodo) at 182, Symantec at 131, and DigiCert at 118 rounding up the list of CAs that issued over 100 certificates for malware. 

“CAs who signed certificates of 100 or more malware samples account for nearly 78% of signed samples uploaded to VirusTotal,” Chronicle underlines. 

Advertisement. Scroll to continue reading.

“The CA with the most samples has nearly 3.5x more samples than the next highest which in turn has almost 2x more than the next highest. The pattern quickly falls off as we move down the line of the top 10 CAs issuing abused certificates,” the security researchers continue.

The investigation also revealed that 21% of samples had their certificates revoked by May 8, 2019, which indicates that the CAs are taking some action. 

“Note that for the revocation of a certificate to be reflected in the VirusTotal dataset, the sample must be rescanned following the revocation request by the responsible CA,” the researchers note. 

The increasing abuse of code signing certificate by financially motivated threat actors shows that trust based security is flawed. Operators of crime-focused malware too have access to code signing certificates, something that was previously available only to nation-state threat actors, which used to steal code signing certificates from victims. 

“Expect to see signed malware reported more frequently,” Chronicle says. 

“As a policy, Sectigo revokes certificates used in malware attacks and does not issue them to known malware purveyors,” Tim Callan, Sectigo’s Senior Fellow, told SecurityWeek. “At its last general meeting, the CA/Browser Forum voted to establish a Working Group specifically for code signing. This Working Group is looking into responses to malware signing among other matters. We encourage security researchers to report instances of malware employing Sectigo certificates at [email protected].” 

*Updated with comment from Sectigo. 

Related: Hackers Using Stolen D-Link Certificates for Malware Signing

Related: Use of Fake Code Signing Certificates in Malware Surges

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.