On the black market they sell valid signature certificates of executable code to bypass antiviruses
Code signing certificates have been used by attackers for malware for several years. Back in 2010, researchers paid attention to malware samples with certificates copied from “clean” files. Naturally, such a code signature did not pass the Authenticode check (see the F-Secure presentation at the CARO 2010 conference ).
Another swallow in 2011 was the “government” malware Stuxnet. He used four 0day vulnerabilities in Windows to spread and gain administrator rights, and was signed with real certificates stolen from Realtek and JMicron . The malware was installed in the system as a Microsoft driver.
')
Then there were other examples, and since about 2015, it has earned a full-fledged black market of valid certificates from authoritative certification centers (CA). Such certificates are sold in underground forums like the Russian Antichat.
There is a widespread opinion that security certificates on the black market are stolen from real owners. This is not true. They really give out these CA.
Security specialists from the Insikt Group of the Recorded Future studied the underground market of certificates - and published a report (pdf) with the results of the study. In their opinion, with a high degree of confidence, it can be argued that now certificates for the black market are created specifically for a specific customer under the order . They are registered on the real companies. In all likelihood, these companies do not suspect that such registrations take place on their behalf. Although in some cases we can assume the fact of a criminal conspiracy (for example, bribing employees).
These are quite valid, legal certificates for real companies issued by serious CAs. This tactic has proven to be extremely effective for spreading malware, the report authors write.
One of the first "black" certificates started selling hacker group C @ T. In March 2015, she offered Microsoft Authenticode certificates for signing 32-bit and 64-bit executable files on the well-known Russian forum Antichat. They also allow you to sign code for Microsoft Office, Microsoft VBA, Netscape Object Signing and Marimba Channel Signing, applications for Silverlight 4.
The format of the signed executable file is PE
In an ad, the hacker group indicated that certificates were issued by Comodo, Thawte and Symantec to real corporations. Each certificate is unique and promised to sell only one buyer. In addition, certificates were offered for signing the code from Apple.
“In the Apple world, you cannot run a program with unsigned code, although there are many ways to bypass this check,” said Amit Serper, Mac Security Lead, a leading security expert at Cybereason. - To sign the program, you need to set up a developer account, pay Apple $ 99 and explain why a certificate is needed. Since Apple’s goal is to make money and attract more participants to its developer platform, getting a certificate is incredibly easy. Many malware and Mac adwares are signed by legitimate certificates provided by Apple. ”
According to C @ T, the signature of the code with such a certificate increases the percentage of successful Malavar installations by 30-50% Hackers also said that over the past six months have already sold more than 60 certificates. This is a good result, given the high cost: three years ago, "black" certificates cost more than $ 1,000.
In 2016, two more certificate sellers appeared on the forums, and in May 2017 a third one joined them. All three are still active. The first one works for Russian-speaking clients (advertised in local forums), the second one specializes in PKI Class 3 certificates for $ 600, and the third one offers the widest range.
The cheapest - standard code signing certificates issued by Comodo, without SmartScreen reputation rating, are sold for $ 295. The most expensive are EV certificates from Symantec with a SmartScreen rating of $ 1,599.
EV SSL certificates are sold separately: from $ 349 per domain. If you buy together a certificate for signing the code and EV SSL, it will cost $ 1,799.
Insikt Group specialists convinced one of the black certificate vendors on the forum to conduct a test. They received the source code with the new RAT Trojan, which is not in anti-virus databases. Files are pre-encrypted, and then signed with a fresh certificate from Comodo.
So, among all the anti-virus engines of the VirusTotal scanner, eight recognized an encrypted unsigned malware, and only two - with the signature of Comodo.
Even more alarming results were obtained when checking the non-resident version of the Trojan. In this case, six antiviruses recognized the threat in the unsigned file, and only one in the signed file.
Experts warn that the use of valid certificates and SSL / TLS traffic encryption in the future may hamper anti-virus protection using the deep packet inspection method. On the other hand, “black” certificates are still quite expensive, so not every hacker can afford to buy new certificates after revoking old ones. Most likely, such certificates - both for code signing and SSL - will be used mainly for industrial espionage and cyber operations of special services of different countries, as is the case with Stuxnet.
Information on standard and extended certificates for code signing from the GlobalSign certification center that is compatible with most platforms can be found on the company's official website .
We announce the action “More cyber defense to sports”!
GlobalSign joins the celebration of the most ambitious event of all athletes and football fans - WORLD FOOTBALL CHAMPIONSHIP 2018 and GIVEN 1 YEAR SSL PROTECTION! *
Terms of action:
* When you purchase any one - year DV-OV or EV -level SSL certificate , you get the second year as a gift.
• The promotion applies to all sites of sports.
• The promotion is valid only for new orders and does not apply to partners.
• To take advantage of the offer, send a request on the website with the promotional code: SL003HBFR .
The promotion will last until July 15, 2018.
You can get additional information on the promotion from GlobalSign Russia managers by phone: +7 (499) 678 2210.
MORE PROTECTION with GlobalSign!
Another swallow in 2011 was the “government” malware Stuxnet. He used four 0day vulnerabilities in Windows to spread and gain administrator rights, and was signed with real certificates stolen from Realtek and JMicron . The malware was installed in the system as a Microsoft driver.
')
Then there were other examples, and since about 2015, it has earned a full-fledged black market of valid certificates from authoritative certification centers (CA). Such certificates are sold in underground forums like the Russian Antichat.
There is a widespread opinion that security certificates on the black market are stolen from real owners. This is not true. They really give out these CA.
Security specialists from the Insikt Group of the Recorded Future studied the underground market of certificates - and published a report (pdf) with the results of the study. In their opinion, with a high degree of confidence, it can be argued that now certificates for the black market are created specifically for a specific customer under the order . They are registered on the real companies. In all likelihood, these companies do not suspect that such registrations take place on their behalf. Although in some cases we can assume the fact of a criminal conspiracy (for example, bribing employees).
These are quite valid, legal certificates for real companies issued by serious CAs. This tactic has proven to be extremely effective for spreading malware, the report authors write.
One of the first "black" certificates started selling hacker group C @ T. In March 2015, she offered Microsoft Authenticode certificates for signing 32-bit and 64-bit executable files on the well-known Russian forum Antichat. They also allow you to sign code for Microsoft Office, Microsoft VBA, Netscape Object Signing and Marimba Channel Signing, applications for Silverlight 4.
The format of the signed executable file is PE
In an ad, the hacker group indicated that certificates were issued by Comodo, Thawte and Symantec to real corporations. Each certificate is unique and promised to sell only one buyer. In addition, certificates were offered for signing the code from Apple.
“In the Apple world, you cannot run a program with unsigned code, although there are many ways to bypass this check,” said Amit Serper, Mac Security Lead, a leading security expert at Cybereason. - To sign the program, you need to set up a developer account, pay Apple $ 99 and explain why a certificate is needed. Since Apple’s goal is to make money and attract more participants to its developer platform, getting a certificate is incredibly easy. Many malware and Mac adwares are signed by legitimate certificates provided by Apple. ”
According to C @ T, the signature of the code with such a certificate increases the percentage of successful Malavar installations by 30-50% Hackers also said that over the past six months have already sold more than 60 certificates. This is a good result, given the high cost: three years ago, "black" certificates cost more than $ 1,000.
In 2016, two more certificate sellers appeared on the forums, and in May 2017 a third one joined them. All three are still active. The first one works for Russian-speaking clients (advertised in local forums), the second one specializes in PKI Class 3 certificates for $ 600, and the third one offers the widest range.
The cheapest - standard code signing certificates issued by Comodo, without SmartScreen reputation rating, are sold for $ 295. The most expensive are EV certificates from Symantec with a SmartScreen rating of $ 1,599.
EV SSL certificates are sold separately: from $ 349 per domain. If you buy together a certificate for signing the code and EV SSL, it will cost $ 1,799.
How effective are such certificates?
Insikt Group specialists convinced one of the black certificate vendors on the forum to conduct a test. They received the source code with the new RAT Trojan, which is not in anti-virus databases. Files are pre-encrypted, and then signed with a fresh certificate from Comodo.
So, among all the anti-virus engines of the VirusTotal scanner, eight recognized an encrypted unsigned malware, and only two - with the signature of Comodo.
Even more alarming results were obtained when checking the non-resident version of the Trojan. In this case, six antiviruses recognized the threat in the unsigned file, and only one in the signed file.
Experts warn that the use of valid certificates and SSL / TLS traffic encryption in the future may hamper anti-virus protection using the deep packet inspection method. On the other hand, “black” certificates are still quite expensive, so not every hacker can afford to buy new certificates after revoking old ones. Most likely, such certificates - both for code signing and SSL - will be used mainly for industrial espionage and cyber operations of special services of different countries, as is the case with Stuxnet.
Information on standard and extended certificates for code signing from the GlobalSign certification center that is compatible with most platforms can be found on the company's official website .
We announce the action “More cyber defense to sports”!
GlobalSign joins the celebration of the most ambitious event of all athletes and football fans - WORLD FOOTBALL CHAMPIONSHIP 2018 and GIVEN 1 YEAR SSL PROTECTION! *
Terms of action:
* When you purchase any one - year DV-OV or EV -level SSL certificate , you get the second year as a gift.
• The promotion applies to all sites of sports.
• The promotion is valid only for new orders and does not apply to partners.
• To take advantage of the offer, send a request on the website with the promotional code: SL003HBFR .
The promotion will last until July 15, 2018.
You can get additional information on the promotion from GlobalSign Russia managers by phone: +7 (499) 678 2210.
MORE PROTECTION with GlobalSign!
Source: https://habr.com/ru/post/350472/
All Articles