As stated in a previous blog entry, it is common for malware authors to sign malicious files with “legitimate” digital certificates in order to bypass security products. In some cases, certificates are stolen or faked by advanced threat actors using complex techniques. But sometimes, certificate theft is as simple as legally purchasing a certificate from a CA under a false identity.
The latter is a CA-side error, where the CA fails to properly verify the client’s identity. This constitutes a breach in the chain of trust that PKI signing relies on, which raises two questions:
1. How far down the chain can the trust be breached?
2. Are there any truly trustworthy CAs?
To answer these questions, we picked a test dataset of about 5000 files from our database: 50% of which are trusted and 50% malicious, all having valid digital signatures. Our goal was to find out which certificates are being used for each group at every level- root, intermediate and end-user.
Comparing the root CAs used in trusted and malicious files, we can see how often even major CAs are compromised:
In fact, the only major root CA that hasn’t been compromised is Microsoft. We believe this is because Microsoft certificates are used only in Microsoft products and threat actors do not have the opportunity to legally buy them.
It is worth noting that there have been a few documented cases of highly advanced threat actors faking Microsoft certificates. One example is Lazarus’ usage of self signed certificates, all named “Microsoft Code Signing PCA”. These certificates are considered valid by Sigcheck and similar tests, because these tests don’t necessarily validate the entire chain of trust. However, you can see that there is only one signer rather than the usual chain. (example)
Analyzing intermediate certificates shows similar results to root certificates. These are the intermediate certificates that appear a significant amount of times in trusted files, but not in malicious ones:
|Microsoft Code Signing PCA||148|
|Microsoft Windows Production PCA 2011||100|
|Intel External Issuing CA 7B||20|
|Microsoft Windows Third Party Component CA 2012||13|
As you can see, these certificates are issued by Microsoft and Intel, and are indeed used only in these companies’ products.
On the other hand, when it comes to end-user certificates, there are many more certificates that appear only in trusted files. Some examples of certificate names are “Adobe Systems Incorporated”, “Symantec Corporation”, “McAfee Inc.”, “CyberLink”, “Dropbox Inc”, “Apple Inc”. and “LENOVO”.
As a general rule, it seems that it is extremely difficult for threat actors to acquire certificates from legitimate, established technological companies.
To conclude, it is quite common for threat actors to legally purchase certificates from legitimate CAs, and even the greatest root CAs aren’t safe. However, it is much rarer to see malware use a certificate from well-established corporations such as Microsoft, Intel and Adobe, whose certificates are only used for their own products.
Seeing as we can’t blindly trust digital signatures, security policies should integrate solutions that address the concern of stolen or fake certificates. Intezer Analyze™ offers one such solution, using Code Intelligence, our unique technology based on code reuse detection, revealing attacks that could otherwise bypass existing security tools.
For instance, let’s examine this sample of Innaput, which has a valid certificate issued by Comodo:
Intezer Analyze™ recognizes the sample for what it is.
We invite you to try Intezer Analyze for yourself!