We and our partners use cookies to understand how you use our site, improve your experience and serve you personalized content and advertising. Read about how we use cookies and your choices here. By continuing to use this site, you accept these cookies.

Hackers are selling legitimate code-signing certificates to evade malware detection

Code-signed apps are harder to detect by network security appliances, making it easier to sneak malware onto a vulnerable system. The downside? Certificates aren't cheap — and hackers usually are.
By Zack Whittaker, Contributor

(Image: ZDNet)

Security researchers have found that hackers are using code-signing certificates more to make it easier to bypass security appliances and infect their victims.

New research by Recorded Future's Insikt Group found that hackers and malicious actors are obtaining legitimate certificates from issuing authorities in order to sign malicious code.

That's contrary to the view that in most cases certificates are stolen from companies and developers and repurposed by hackers to make malware look more legitimate.

Code-signing certificates are designed to give your desktop or mobile app a level of assurance by making apps look authentic. Whenever you open a code-signed app, it tells you who the developer is and provides a high level of integrity to the app that it hasn't been tampered with in some way. Most modern operating systems, including Macs, only run code-signed apps by default.

But not only does code-signing have an affect on users who inadvertently install malware, code-signed apps are also harder to detect by network security appliances. The research said that hardware that uses deep packet inspection to scan for network traffic "become less effective when legitimate certificate traffic is initiated by a malicious implant."

That's been picked up by some hackers, who are selling code-signing certificates for as little as $299. Extended validation certificates which are meant to go through a rigorous vetting process can be sold for $1,599.

The certificates, the researchers say, were obtained by reputable certificate issuing authorities, like Comodo, and Symantec and Thawte -- both of which are now owned by DigiCert.

Apple certificates were also available.

"In Apple's world, you cannot execute a program which is not code-signed -- there are plenty of ways around it though," said Amit Serper, principal security researcher at Cybereason, and a specialist in Mac malware. "In order to get a program signed, you need to set up a developer account, pay Apple $99 and give them a reason to issue you a certificate. Since Apple's goal is to make money and have more developers joining their developer program and generate revenue, getting a certificate is incredibly easy."

"Many malware and adware for macs out there are signed with legitimate code signing certificates provided by Apple," he said.

Serper recently wrote about Pirrit, a sneaky adware that injects ads directly into the browser. According to Seper's write-up, Pirrit's updater was code-signed, making it easier to download additional malicious content.

Spokespeople for Apple and Comodo did not respond to a request for comment. When reached, DigiCert did not have comment. If that changes, we'll update.

But the researchers say that they believe that the certificate authorities are "unaware" that their data was used. Andrei Barysevich, director of advanced collection at Recorded Future, told ZDNet that hackers "obtain the certificates directly from issuing authorities using stolen corporate information." Those stolen logins let hackers access the issuing authorities' network and issue custom certificates for their customers.

"We are confident that no help from insiders at these companies is being used," he said.

According to the research, the hacker sold over 60 certificates in six months. But sales declined after malware writers opted for obfuscation techniques other than expensive code-signing certificates.

"However, undoubtedly more sophisticated actors and nation-state actors who are engaged in less widespread and more targeted attacks will continue using fake code signing and SSL certificates in their operations," the researchers said.

Editorial standards