Security Experts:

Sectigo Revokes Certificates Used to Sign Malware Following Recent Report

Sectigo (formerly Comodo CA) says it revoked more than 100 digital certificates following a report from Chronicle that thousands of malware samples found on VirusTotal over the past year were digitally signed by certificates issued by Comodo

Published last week, the report showed that out of a total of 3,815 signed malware samples analyzed, 1,775 used a digital certificate issued by Comodo RSA Code Signing Certificate Authority (CA)

Furthermore, 182 certificates the CA issued after it was renamed to Sectigo were used to sign malware as well, Chronicle, the cybersecurity company of Google parent company Alphabet, said.

Sectigo/Comodo was not the only CA mentioned in the report, but was by far the issuer for the largest number of certificates used to digitally sign malware. Thawte was second with 509 certificates, followed by VeriSign with 261 of them. Symantec and DigiCert issued over 100 such certificates each.

“As a policy, Sectigo revokes certificates used in malware attacks and does not issue them to known malware purveyors," Tim Callan, Sectigo's Senior Fellow, said last week, responding to a SecurityWeek inquiry. 

On Friday, the CA published its own breakdown of the findings, revealing that only 127 of the certificates found by the Chronicle security researchers were active at the time the report was published and that they were quickly revoked.

Sectigo also said that over 90% of the nearly 2000 Comodo/Sectigo certificates mentioned in the report were either expired, previously revoked, or duplicates. 

According to the CA, the discovered malware samples were signed with 1660 duplicate certificates, 70 expired certificates, 126 previously revoked certificates, and 25 certificates that did not match records of Code Signing certificates from Comodo / Sectigo and are still being investigated. 

“We encourage Chronicle or any other researcher who becomes aware of misused Sectigo public certificates to report them to us upon discovery at [email protected] or [email protected],” Sectigo concluded. 

Related: Comodo Issued Most Certificates for Signed Malware on VirusTotal

Related: Comodo Sells Certificate Business to Private Equity Firm

view counter