Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

‘Destover’ Malware Signed by Stolen Sony Certificate

A digital certificate stolen from Sony Pictures under the recent high-profile cyber attack has been used to sign malware, according to a report from Kaspersky Lab.

A digital certificate stolen from Sony Pictures under the recent high-profile cyber attack has been used to sign malware, according to a report from Kaspersky Lab.

Ironically, the malware sample found digitally signed by the legitimate certificate from Sony was a sample of “Destover”, the destructive malware family that was reportedly used against Sony in the recent attack that resulted in troves of stolen corporate and personal data being leaked, along with the destruction data on corporate PCs.

Sony’s digital certificates, which were leaked by the attackers could be used to sign other malware samples and used in other attacks, but in this case it may not have been actually used by someone with malicious intent.

However, CSO’s Steve Regan has pointed out that the malware sample, which was uploaded to Malwr, was a joke between researchers.

The distrubting part, as Ragan reminded, is that after knowing its digital certificates had been obtained by attackers, Sony had not yet successfully revoked the known stolen certificates.

So while this incident may be a joke, the risk of Sony’s certificates being used in malware for real attacks is a reality.

Stolen Certificates from Sony“Because the Sony digital certificates are trusted by security solutions, this makes attacks more effective,” Kaspersky Labs’ Global Research & Analysis Team wrote in a blog post. “We’ve seen attackers leverage trusted certificates in the past, as a means of bypassing whitelisting software and default-deny policies.” 

According to Kaspersky Lab, it appears as though the new sample was signed on December 5, 2014 and it virtually the same as a previously observed non-signed file.

Kaspersky said that stolen digital certificate was reported to COMODO and Digicert, which should be blacklisted shortly.

“As more news on the Sony Pictures Entertainment breach trickles out, it’s not surprising to learn that the new version of the Destover malware used by the attackers was signed by a legitimate certificate from Sony,” Kevin Bocek, VP of Security Strategy and Threat Intelligence at Venafi, told SecurityWeek. “Time and again, we’re seeing breached organizations like Sony leave open doors for attackers by failing to protect the trust provided by digital certificates and cryptographic keys.”

“Bad actors have learned that the easiest, fastest and most effective way to inject malware that resides undetected on corporate networks is by signing the malware with compromised or stolen digital certificates,” Bocek continued. “Attackers know that most organizations cannot detect or respond to anomalous certificates that authenticate systems and users on their networks, devices and applications, so they exploit them, just as they did in the Sony hack.”

“Global companies typically have tens of thousands of keys and certificates and the majority do not take an accurate inventory of them, do not know where they are deployed, who is using them and do not have the right systems in place to secure them.”

“As noted by Kaspersky, these stolen Sony certificates are the exact opening attackers need and can lead to further, more detrimental attacks,” Bocek said. “SSL and SSH cloaks an attacker’s communication channel and makes it nearly invisible – this is exactly what they’re looking for to carry out their cyber crimes.”

*Updated with additional information on sample thought to be a joke between researchers.

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


More than 3,800 servers around the world have been compromised in recent ESXiArgs ransomware attacks, which also include an improved process.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.