Connect with us

Hi, what are you looking for?


Malware & Threats

Rogue Antivirus Malware Uses Digital Certificates as Disguise

Researchers at Microsoft say a sophisticated family of rogue antivirus malware has reappeared using at least a dozen digital code-signing certificates.

Researchers at Microsoft say a sophisticated family of rogue antivirus malware has reappeared using at least a dozen digital code-signing certificates.

The use of the certificates is yet another example of malware authors abusing the Internet’s trust ecosystem in order to comprise users. With a stolen certificate in tow, a cybercriminal can sign a piece of malware and make it appear as though it is software from a legitimate developer.The tactic is not new; in fact, the notorious Stuxnet malware was observed using a valid signature when it was discovered by the security community in 2010.

During the past month, a rogue antivirus program known as ‘Antivirus Security Pro’ (detected as Rogue:Win32/Winwebsec) has stepped up and adopted the tactic in a big way, as Microsoft speculates that the dozen or so certificates it has seen being used may just be the tip of the iceberg if there are other variants are out there.

“A related family, TrojanSpy:Win32/Ursnif, has also been distributed with files signed using stolen credentials,” blogged David Wood of Microsoft’s Malware Protection Center. “We have observed Winwebsec downloading Ursnif, a Trojan that monitors web traffic, and steals sensitive information, including passwords. Earlier variants of Ursnif were also capable of stealing certificates and private keys, but this functionality does not appear to be present in the latest versions. Instead, it appears to have been added to certain samples of PWS:Win32/Fareit.”

Advertisement. Scroll to continue reading.

The certificates used by Antivirus Security Pro were issued to developers by some of the most prominent certificate authorities in the world, including VeriSign and Comodo. According to Microsoft, one of these certificates was issued just three days before researchers saw malware samples signed with it, suggesting that the malware’s distributors are regularly stealing new certificates as opposed to using older certificates they previously stockpiled.

“Just as it is important to keep your house and car keys secure, securing your code-signing private keys is essential,” Wood blogged. “Not only is it inconvenient, and often expensive, to have the certificate replaced, it can also result in loss of your company’s reputation if it is used to sign malware.”

“Certainly, no system used to store code-signing credentials should ever be used for web browsing, and it is vital that these systems run a regularly updated antivirus solution, and that any file you sign has been scanned for possible virus infection beforehand,” he continued.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.