Protect your corporate IT network from hackers and other unwanted intruders with Proxy Sentinel™. Click here for all the details and get the peace of mind you deserve.
Back to our Homepage Proxy Sentinel™ high performance Internet proxy server and secure firewall solution Firewall Sentinel™ secure & powerful Internet firewall solution About Internet and GCIS Frequently Asked Questions on Internet security issues Internet Security Industry News - Stay informed of what's happening Contact Internet today and order your Proxy Sentinel™ or Firewall Sentinel™ server now!

Hackers sell certificates that allow code signing of malicious instructions

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.

November 4, 2015

Click here to order the best deal on a HP enterprise dedicated server and at a great price.

According to new research from threat intelligence company InfoArmor, it's been revealed today that hackers are now selling digital certificates that can easily allow code signing of very malicious instructions, creating a lucrative and expanding cottage industry in the process.

In just one instance, a hacker tricked a legitimate certificate authority into issuing digital certificates for malware before marketing a cyber-espionage tool called GovRAT.

In case you didn't know, GovRAT is a malware creation tool that comes bundled with digital certificates for code signing initially sold through TheRealDeal Market, an underground marketplace on the so-called dark net that’s only accessible using TOR. Remember SilkRoad, anybody?

The cyber-espionage toolkit was offered for sale at just 1.25 Bitcoin (US $420, at current rates) before the seller began selling it privately.

Other similar posts were also found promoting code-signing certificates in various underground marketplaces. Hackers price those certificates at between $600 to $900 depending on the issuing company.

Code-signing certificates issued by Comodo, Thawte DigiCert and GoDaddy – firms well known for supplying digital credentials to legitimate software developers – are among those on offer.

Andrew Komarov, president and chief intelligence officer at InfoArmor, explained that these sellers are courting hackers and cyberspies looking to mount distributed, targeted attacks.

“The buyers are blackhats, mostly state-sponsored malware developers,” Komarov said. “It is professional audience mostly, as typical script kiddies and cybercriminals don’t need such elements. It is used in APTs, organized for targeted and stealth attacks.”

“Worse, the overall appearance of such services on the blackmarket allow hackers to perform them much more easily, rather like Stuxnet,” he added.

Stolen or outright fake certificates were discovered in the Stuxnet worm and the Sony hack, both high profile attacks.

Additionally, InfoArmor’s research suggests the technique is being made available to a far wider range of potential attackers.

“It's a very specific niche of modern underground market,” Komarov added. “It can’t be very big, as the number of certificates is rather limited, and it is not easy to buy them, but according to our statistics, the number of such services is significantly growing.”

InfoArmor estimates that cybercrooks are getting hold of these certificates through resellers.

“Bad actors acquire digital certificates through resellers, where the due diligence of customers is rather poor,” Komarov explained. “They provide fake names, or fake information about the author and purpose on why they need this certificate, and then receive it, nevertheless. After they have received such certificates, they trade it on the blackmarket for malware developers, allowing them to create signed malware for further APT in the following minutes.”

The process is very abysmal and raises several security red flags. The certificates can be used to sign far more than just executable files. Worse, it’s also possible to even sign device drivers, Microsoft Office documents, Java content and many other file types, even MIME types.

Not surprisingly, Russian-speaking hackers behind those sales boast that certification revocation, a process that would invalidate rogue code-signing certificate, is slow and in any case, extremely rare.

Incredibly, some cybercriminals have even begun offering malware-signing-as-a-service (MSaaS), using prepared digital certificates.

One such service ran from a website called before the domain was suspended by the registrar. Worse, the hacker behind the whole operation is still in business, committing more mischief, according to InfoArmor.

Source: InfoArmor Internet Security.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.

Home | Proxy Sentinel™ | Firewall Sentinel™ | FAQ | News | Sitemap | Contact
Copyright © Internet    Terms of use    Privacy agreement    Legal disclaimer