Threat actors sign their malware with legitimate digital certificates to avoid detection
The experts provided details of a certificate fraud that leverages on the executive impersonation. The researchers provided evidence that the threat actors sold the purchased certificates to a cybercrime gang that used them to spread malware.
The fraud begins with the reconnaissance phase in which the attackers select the target to impersonate. Threat actors use publicly available information to select candidates that are usually well-established people working in the software industry.
Once identified, the threat actors scrape victim’s information from open sources, such as their public LinkedIn profile page. Then attackers set up legitimate-looking infrastructure for the entity they are impersonating in the attempt to deceive certificate authorities.
“The attacker aims to use the top-level domain confusion in order to mislead the certificate authority during their identity verification process. The gamble is that the person verifying the certificate issuance request will assume that the same company owns both the global .COM and the regional .CO.UK domains for their business.” reads the analysis published by the experts.
“Here’s where the choice of registrar becomes truly important. Since GDPR legislation came into effect, most EU domain registrars have agreed that WHOIS records are considered private and personally identifiable information. This makes knowing the true identity behind the registered domain name subject to a data release process – a bureaucratic procedure meant to be fulfilled in cases of a legitimate enquiry such as a trademark dispute or a law enforcement request.”
Once set up the infrastructure, the threat
“2019-04-30 07:07:59 – The first signed malicious file appears in the wild. The certificate is used to sign OpenSUpdater, an adware application that can install unwanted software on the client’s machine. This executable is cross-signed for timestamp verification via Symantec Time Stamping Services Signer service.” continues the analysis.
The experts pointed out that even if it is harder for the attacker to acquire digital certificates, the threat actors they tracked has shown that it is in fact possible to do so.
(SecurityAffairs – digital certificates, hacking)