Digitally signed threats with a valid certificate are no longer the mark of a nation-state, sophisticated attacker. The number of malware samples signed with a valid certificate found on VirusTotal is in the thousands.

Threats signed with a valid digital certificate are no longer the mark of a nation-state, sophisticated attacker and financial-driven cybercriminals are able to purchase code-signing certs either directly or indirectly from certificate authorities (CA) or their resellers.

Crims abuse certs from at least 13 CAs

A study from Chronicle security company reveals that 3,815 signed malware samples were uploaded to VirusTotal scanning service over a period of one year.

The investigation is by no means exhaustive as it focused only on Windows portable executable (PE) and excluded samples that had less than 15 detections on the platform. Furthermore, it filtered out files that were borderline malicious.

The list of CAs with abused certificates includes Sectigo, Thawte, VeriSign, Symantec, DigiCert, GlobalSign, WoSign, Go Daddy, WoTrus, GDCA, Certum, E-Tugra, and Entrust.

The results show that Sectigo, formerly Comodo, had issued certs for the highest number of malware samples. Authors of malicious code abused certs issued by the company to sign close to 2,000 threat samples.

This should not come as a surprise as Sectigo is the largest commercial Certificate Authority (CA) and has plenty of resellers that could be tricked into issuing a certificate to the wrong party. Recently, the company announced a sponsorship for Let's Encrypt CA that offers free certificates for the public benefit.

Code signing emerged as a method to guarantee the authenticity and integrity of the code running on a Windows machine. This allowed discerning between legitimate software and a potentially malicious one. All this relies on trust in the authority that issued the certificate.

"The chain of trust is relatively straight-forward: certificates are signed (issued) by trusted certificate authorities (CAs), which have the backing of a trusted parent CA. This inherited trust model is taken advantage of by malware authors who purchase certificates directly or via resellers," explains Chronicle.

Coming second in the top CAs that signed certs used by cybercriminals is Thawte, with over 600 distinct samples, while VeriSign accounted for almost 300 samples.

The six CAs that signed certificates of 100 or more malware samples make for about 78% of the signed malicious code uploaded to VirusTotal.

The differences between the top three spots are quite steep. The CA at the top signed 3.5 times more samples than the runner up. And the company in the second place signed twice as many samples than the occupant of the third place.

However, these CAs are not idle about this issue and use the only mechanism they have available to remove trust in the signed malware: revoking the certificate.

According to visible data, Sectigo revoked certificates for 354 malware samples while Thawte dealt with 348. On May 8, all CAs revoked trust in 21% of the samples with illegal certificates.

It is important to note that the number samples with a revoked cert is likely higher as revocation is reflected in VirusTotal only when the malware is rescanned following its fall from CA's grace.

"While malware abusing trust is not a new phenomenon, the popular trend of financially motivated threat actors buying code signing certificates illuminates the inherent flaws of trust-based security."

The researchers say that signed malware is becoming a common occurrence these days and certificate authorities fight back revoking trust in them, but better results are possible when buyers are verified more diligently.

Update [05.23.2019]: Tim Callan, Senior Fellow at Sectigo issued a statement for BleepingComputer saying that the company encourages security researchers to report malware signed with certificates issued by Sectigo.

As a policy, Sectigo revokes certificates used in malware attacks and does not issue them to known malware purveyors. At its last general meeting, the CA/Browser Forum voted to establish a Working Group specifically for code signing. This Working Group is looking into responses to malware signing among other matters. We encourage security researchers to report instances of malware employing Sectigo certificates at signedmalwarealert@sectigo.com.”

Update [05.24.2019]: Article edited to clarify that Chronicle's study focused on the amount of signed malware, not the number of certificates issued by a Certificate Authority and abused to sign the threats. Also, Sectigo published results of its own investigation into the certificates it issued and were used to sign malware.