Connect with us

Hi, what are you looking for?



Use of Fake Code Signing Certificates in Malware Surges

There has been surge in the use of counterfeit code signing certificates to evade security detection solutions, despite the high cost such certificates come with, a new Recorded Future report shows.

There has been surge in the use of counterfeit code signing certificates to evade security detection solutions, despite the high cost such certificates come with, a new Recorded Future report shows.

Fake code signing certificates are used as a layered obfuscation technique in malware distribution campaigns, but these aren’t always stolen from legitimate owners, but rather issued upon request. The certificates are created for the specific buyer and registered using stolen corporate credentials, thus rendering traditional network defenses less effective, Recorded Future says.

Counterfeit certificates have been around for over half a decade, but the first offerings for such certificates were observed on the Dark Web only several years ago.

In March 2015, a user known as C@T offered on a prolific hacking messaging board a Microsoft Authenticode that could sign 32-bit/64-bit executable files, along with Microsoft Office, Microsoft VBA, Netscape Object Signing, and Marimba Channel Signing documents, and Silverlight 4 applications. Furthermore, Apple code signing certificates were also available, Recorded Future’s researchers say.

The advertiser claimed the certificates were issued by Comodo, Thawte, and Symantec and registered under legitimate corporations. The seller also said each certificate was unique and would only be assigned to a single buyer. The seller suggested the certificates would increase the success rate of malware installations 30% to 50% and claimed to have sold over 60 certificates in less than six months.

What prevented C@T’s offer to appeal to a large client base was the prohibitive cost of certificates, which can surpass $1,000 per certificate in some instances.

Several years later, three new actors started offering such services, primarily in the Eastern European underground, and two remain active, providing counterfeit certificates to Russian-speaking individuals.

Advertisement. Scroll to continue reading.

One of the actors specializes in Class 3 certif
icates (they do not include Extended Validation (EV) assurance) and offers them at $600. The other seller has a broad range of products in the offering, the researchers discovered.

Standard Comodo code signing certificates (without SmartScreen reputation rating) cost $295, while the most trusted EV certificates from Symantec cost $1,599 (a 230% premium over the authentic certificate). Buyers looking to make bulk purchases would pay $1,799 for fully authenticated domains with EV SSL encryption and code signing capabilities.

“According to the information provided by both sellers during a private conversation, to guarantee the issuance and lifespan of the products, all certificates are registered using the information of real corporations. With a high degree of confidence, we believe that the legitimate business owners are unaware that their data was used in the illicit activities,” Recorded Future notes.

All certificates are created per the buyer’s request, individually, and have an average delivery time of two to four days.

A trial one of the vendors conducted revealed that detection rate of the payload executable of a previously unreported Remote Access Trojan (RAT) decreased upon signing with a recently issued Comodo certificate. Testing a non-resident version of the payload revealed that only one security product recognized the file as malicious.

“Network security appliances performing deep packet inspection become less effective when legitimate (legitimate certificate) SSL/TLS traffic is initiated by a malicious implant. Netflow (packet headers) analysis is an important control toward reducing risk, as host-based controls may also be rendered ineffective by legitimate code signing certificates,” the security researchers note.

The counterfeit certificates might have experienced a surge, but they are not expected to become mainstream because of their prohibitive cost when compared to crypting services that are readily available at $10-$30 per each encryption. Nonetheless, more sophisticated attackers and nation-state actors will continue employing code signing and SSL certificates in their operations.

Related: TrickBot Using Legitimate Looking Sites With SSL Certificates

Related: Let’s Encrypt Wildcard Certificates a ‘Boon’ for Cybercriminals, Expert Says

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...