Hackers use digital certificates to spread malware

Recently, experts said that hackers may use fake identities to purchase digital certificates from certification bodies and resell them for profit. Criminals who purchase these digital certificates may use the certificate to spread malware.

Digital certificates allow their owners to digitally sign information in a process that stamps the content with their identity and protects it from tampering. While both of those signature properties are important, the identity behind the origin of the information is the one that is used as the key measurement of trustworthiness. That is why threat actors are so focused on impersonating trusted parties.”

Image: reversinglabs

Once a digital certificate is in place, the probability that a hacker will successfully evade security detection will increase significantly and trick users to download malware. Reversing Labs explains:

“The first signed malicious file appears in the wild. The certificate is used to sign OpenSUpdater, an adware application that can install unwanted software on the client’s machine. This executable is cross-signed for timestamp verification via Symantec Time Stamping Services Signer service.

The last signed malicious file has been spotted in the wild. In total, the certificate has been used to sign 22 executable files. Not all of them have been malicious, but those that have all belonged to the same malware family – OpenSUpdater. Some of them have been installation packages made with NSIS. All signed files after the first two have been using the same timestamping service.”