14 DAY TRIAL // A poster on a Russian underground forum offers for sale valid certificates for signing code in order to evade antivirus detection at a rate of one or two every week, a web intelligence company says.
Digital certificates are used for signing programs to validate that their integrity has been preserved and they have not been altered for nefarious purposes.
This used to be an efficient method to verify that legitimate code is being installed on a machine and no malicious intent is attempted. However, cybercriminals managed to find ways to get legitimate certificates to sign malware.
Russian makes thousands of dollars in two months
According to a blog post from SenseCy, a division of cyber intelligence company Terrogence, the seller of digital certificates first pitched the offer about two months ago and updates continue to be added to the thread on a regular basis.
The first certificate was sold for about $1,000 / €787, and the day after, the poster published a message saying that he could provide up to two digital certificates for signing EXE files per week, SenseCy informs.
The forum poster has made it clear to the audience that the certificates he sells are not for drivers and only work for executable files EXE, DLL and JAR, as well as for DOC. However, it appears that he can also get driver signing certificates.
SenseCy reports that during their two-month monitoring period at between seven and ten certificates have been sold.
Origin of the certificates has yet to be established
Although the forum tread includes various details about the “merchandise” along with comments from buyers, there is no information about the entity that issued the certificates or the company they are intended for.
On the same note, it remains unknown how the certificates are obtained. Speculation points to several possibilities, one of them being breaching an entity that buys them. A reseller could also have been compromised. Another possibility would be simply reselling legally purchased certificates.
“The forum thread was opened on a Russian password-protected forum that serves as an illegal platform for cybercrime related discussions. On the forum, one can find sales of financial malware, stolen databases and exploits, as well as technical discussions regarding hacking and programming,” SenseCy says.
The company warns of possible abundance of signed malware in the near future and points to the DigiNotar breach incident that occurred in 2011 and ended with the company going bankrupt.