Digital Certificates- When the Chain of Trust is Broken - Intezer
Analyze and classify 50 suspicious files per month for free. Get Started

Digital Certificates- When the Chain of Trust is Broken

Written by Gal Vardi

    First Name
    Last Name
    Job Title

    Join our free community
    Get started
    Share Article

    As stated in a previous blog entry, it is common for malware authors to sign malicious files with “legitimate” digital certificates in order to bypass security products. In some cases, certificates are stolen or faked by advanced threat actors using complex techniques. But sometimes, certificate theft is as simple as legally purchasing a certificate from a CA under a false identity.

    The latter is a CA-side error, where the CA fails to properly verify the client’s identity. This constitutes a breach in the chain of trust that PKI signing relies on, which raises two questions:

    1. How far down the chain can the trust be breached?
    2. Are there any truly trustworthy CAs?

    To answer these questions, we picked a test dataset of about 5000 files from our database: 50% of which are trusted and 50% malicious, all having valid digital signatures. Our goal was to find out which certificates are being used for each group at every level- root, intermediate and end-user.

    Comparing the root CAs used in trusted and malicious files, we can see how often even major CAs are compromised:

    In fact, the only major root CA that hasn’t been compromised is Microsoft. We believe this is because Microsoft certificates are used only in Microsoft products and threat actors do not have the opportunity to legally buy them.

    It is worth noting that there have been a few documented cases of highly advanced threat actors faking Microsoft certificates. One example is Lazarus’ usage of self signed certificates, all named “Microsoft Code Signing PCA”. These certificates are considered valid by Sigcheck and similar tests, because these tests don’t necessarily validate the entire chain of trust. However, you can see that there is only one signer rather than the usual chain. (example)

    Analyzing intermediate certificates shows similar results to root certificates. These are the intermediate certificates that appear a significant amount of times in trusted files, but not in malicious ones:

    Microsoft Code Signing PCA 148
    Microsoft Windows Production PCA 2011 100
    Intel External Issuing CA 7B 20
    Microsoft Windows Third Party Component CA 2012 13

    As you can see, these certificates are issued by Microsoft and Intel, and are indeed used only in these companies’ products.

    On the other hand, when it comes to end-user certificates, there are many more certificates that appear only in trusted files. Some examples of certificate names are “Adobe Systems Incorporated”, “Symantec Corporation”, “McAfee Inc.”, “CyberLink”, “Dropbox Inc”, “Apple Inc”. and “LENOVO”.

    As a general rule, it seems that it is extremely difficult for threat actors to acquire certificates from legitimate, established technological companies.

    To conclude, it is quite common for threat actors to legally purchase certificates from legitimate CAs, and even the greatest root CAs aren’t safe. However, it is much rarer to see malware use a certificate from well-established corporations such as Microsoft, Intel and Adobe, whose certificates are only used for their own products.

    Seeing as we can’t blindly trust digital signatures, security policies should integrate solutions that address the concern of stolen or fake certificates. Intezer Analyze™ offers one such solution, using Code Intelligence, our unique technology based on code reuse detection, revealing attacks that could otherwise bypass existing security tools.

    For instance, let’s examine this sample of Innaput, which has a valid certificate issued by Comodo:

    Intezer Analyze™ recognizes the sample for what it is.

    We invite you to try Intezer Analyze for yourself!

    Gal Vardi

    Data analyst with experience in information security and threat intelligence. Currently working as an analyst at Intezer Labs.

    © 2021 All rights reserved