Most of the digital certificates used to sign malware samples found on VirusTotal have been issued by the Certificate Authority (CA) Comodo CA.

Most of the digital certificates used to sign malware samples found on VirusTotal in 2018 have been issued by the Certificate Authority (CA) Comodo CA (aka Sectigo).

Chronicle’s security researchers have analyzed submissions May 7, 2018, and May 7, 2019 discovering that out of a total of 3,815 signed malware samples, 1,775 were signed using a digital certificate issued by Comodo RSA Code Signing CA.

Vxers use to sign the code of their malware to avoid detection of some security systems.

Malware authors are taking advantage of this inherited trust model to purchase certificates directly or via resellers and their signed code is considered reliable until the ravocation of the certificate by the CA.

At the moment, the researchers note, the only real tool to combat certificate abuse is the revocation of that certificate, a process through which the CA says the certificate is no longer trustworthy, and which introduces a delay in which the signed malware may be considered “trusted”.

“The chain of trust is relatively straight-forward: certificates are signed (issued) by trusted certificate authorities (CAs) , which have the backing of a trusted parent CA.” reads the study published by Chronicle. “This inherited trust model is taken advantage of by malware authors who purchase certificates directly or via resellers. Whether purchased directly or indirectly, due diligence into customers appears to be lacking.”

The investigation conducted by Chronicle experts focused on signed Windows PE Executable files uploaded to VirusTotal. The researchers filtered out a large number of samples, all the samples with less than 15 aggregate detections were excluded along with grayware files.

Chronicle calculated the distinct number of samples signed with digital certificates issued by the different CA.

Comodo issued the largest number of signed samples, at 1,775, with Thawte at 509, VeriSign at 261, Sectigo (formerly Comodo) at 182, Symantec at 131, and DigiCert at 118.

“CAs who signed certificates of 100 or more malware samples account for nearly 78%of signed samples uploaded to VirusTotal.” continues Chronicle.

Experts explained that at the time of the analysis (May 8th, 2019), 21% of samples had their certificates revoked, a circumstance that confirms that CAs are taking some action to contrast the abuses. It is important to consider that the revocation of a certificate is reflected in the VirusTotal dataset after the signed sample has been rescanned after the revocation request by the responsible CA.

“While malware abusing trust is not a new phenomenon, the popular trend of financially motivated threat actors buying code signing certificates illuminates the inherent flaws of trust based security. Signed payloads are no longer solely within the domain of nation-state threat actors stealing code signing certificates from victims; they are readily accessible to operators of crime focused malware.” concludes the expert. “The impact is amplified by the scope and scale of typical crimeware campaigns. Expect to see signed malware reported more frequently.”



If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – malware, digital certificates)

Share this...

Linkedin Reddit Pinterest

Share On