Malicious Code-Signing Becomes Dark-Web Cottage Industry

Hackers are selling digital certificates that allow code-signing of malicious files—and, they’re making a whole cottage-industry business out of it.

According to a report from InfoArmor, hackers are using a malware creation tool called GovRAT, which is bundled with digital certificates for code-signing. It’s primarily an advanced persistent threat (APT) tool, active since early 2014. GovRAT victims so far include political, diplomatic and military employees of more than 15 governments worldwide, the firm said, along with seven banks, 30 defense contractors and more than 100 other corporations.

“Code-signing provides the assurance to users and the operating system that the software is from a legitimate source,” said Travis Smith, senior security research engineer for Tripwire, in an email. “Both obtaining and correctly applying the certificates to legitimate software is expensive and complex. Many protection mechanisms, rightfully so, check for the digital certificate. However, it's possible that additional security measures stop investigating the software beyond this.”

Attackers can thus exploit this lapse in security by obtaining certificates and signing their malware. 

“This decreases the ability for attacker automation, but will increase the value of potential loot,” Smith added. “For organizations which have valuable data, attackers are going to sacrifice automation for stealthier attacks such as code-signed malware.”

GovRAT tool uses Microsoft SignTool and WinTrust to digitally sign malicious code and evade antivirus detection. And once malware signed with the tool is embedded, it can communicate over SSL, obscuring the exfiltration of sensitive data. It also has advanced self-encryption and anti-debugging tools.

Originally offered on the Dark Web for 1.25 Bitcoin ($420, at current rates, or $1,000 at the time), it’s now available only privately—and in an as-a-service model.

And GovRAT is not the only game in town. InfoArmor also has found code-signing certificates in various underground marketplaces that go for between $600-$900, including legitimate certificates issued by Comodo, Thawte DigiCert and GoDaddy.

“[The buyers are] black hats (mostly state-sponsored), malware developers,” Andrew Komarov, president and CIO at InfoArmor, told the Register. “It is [a] pretty professional audience, as typical script kiddies and cyber-criminals don’t need such stuff. It is used in APTs, organized for targeted and stealth attacks. The appearance of such services on the black market allows [hackers] to perform them much more easily, rather like Stuxnet.”

He added, “It is a pretty specific niche of modern underground market. It can’t be very big, as the number of certificates is pretty limited, and it is not easy to buy them, but according to our statistics, the number of such services is significantly growing.”

Hackers can sign not only executable files, but also drivers, Microsoft Office documents, Java content and many other file types—widening the attack surface considerably.

“Organizations should rely on a defense-in-depth security posture so if one defensive mechanism fails, another is in line to detect the attack,” Tripwire’s Smith said. “For attacks such as this, monitoring the list of both signed and unsigned software in the environment will give security administrators an early indication of compromise.”

What’s Hot on Infosecurity Magazine?