This week experts at Chronicle published a study on signed malware registered on VirusTotal that states that most of the digital certificates used to sign malware samples found on VirusTotal in 2018 have been issued by the Certificate Authority (CA) Comodo CA (aka Sectigo).
Chronicle’s security researchers have analyzed submissions May 7, 2018, and May 7, 2019 discovering that out of a total of 3,815 signed malware samples, 1,775 were signed using a digital certificate issued by Comodo RSA Code Signing CA.
Experts from Sectigo analyzed the Chronicle’s findings and provided their response. According to Sectigo, most of the certificates used to sign the malware submitted to VirusTotal and issued by the company
Below the data provided by Sectigo:
“Unfortunately, recent press reports suggest the incorrect conclusion that Chronicle reported nearly 2000 such certificates for Comodo / Sectigo. Since this story ran, we have investigated all of the certificates attributed to Comodo / Sectigo. More than 90% of these were expired, previously revoked, or duplicate reports.” reads the post published by Sectigo.
The CA confirmed that is still investigating 25 certificates that labeled with “in process” status.
“These reported certificates did not match our records of Code Signing certificates from Comodo / Sectigo during our investigation. We are continuing to investigate these certificates.” reads the CA.
Sectigo encourages Chronicle or other researchers to report any misuse of its public certificates at: