Abusing Code Signing for Profit
Signing a Windows executable file was originally conceived as a mechanism to guarantee the authenticity and integrity of a file published on the internet. Since its inception, the process of cryptographically signing a piece of code was designed to give the Operating System a way to discriminate between legitimate and potentially malicious software. Unfortunately, this system is built on a problematic core tenet: Trust.
The chain of trust is relatively straight-forward: certificates are signed (issued) by trusted certificate authorities (CAs) , which have the backing of a trusted parent CA. This inherited trust model is taken advantage of by malware authors who purchase certificates directly or via resellers. Whether purchased directly or indirectly, due diligence into customers appears to be lacking. Revoking a certificate, the process by which a CA says the certificate is no longer trustworthy, is unfortunately the only real tool available to combat certificate abuse. This process introduces a delay in which malware with a certificate may be considered “trusted”.
Chronicle researchers hunted within VirusTotal to gain a deeper understanding of this issue. For this investigation researchers only included Windows PE Executable files, filtered out samples with less than 15 aggregate detections, aggressively filtered out grayware files, and calculated the distinct number of samples each signing CA was responsible for (note: the samples may have different certificates, the focus is on the signing CA only). Data was collected within a 365 day span with an initial start date of May 7th, 2019.
In total, 3,815 malware samples met the filtering criteria. Figure 1 shows the top 25 abused CAs as well as the total number of samples signed.
As indicated in Figure 1, CAs who signed certificates of 100 or more malware samples account for nearly 78%of signed samples uploaded to VirusTotal. This is broken down further in Figure 2 below.
Figure 2 depicts the drop off of malicious samples per signing CA. The CA with the most samples has nearly 3.5xmore samples than the next highest which in turn has almost 2xmore than the next highest. The pattern quickly falls off as we move down the line of the top 10 CAs issuing abused certificates.
There is some hope! When evaluating this data we determined that 21%of samples had their certificates revoked at the time of writing (May 8th, 2019). This indicates that CAs are taking some action. Note that for the revocation of a certificate to be reflected in the VirusTotal dataset, the sample must be rescanned following the revocation request by the responsible CA.
What Does This Mean Going Forward?
While malware abusing trust is not a new phenomenon, the popular trend of financially motivated threat actors buying code signing certificates illuminates the inherent flaws of trust based security. Signed payloads are no longer solely within the domain of nation-state threat actors stealing code signing certificates from victims; they are readily accessible to operators of crime focused malware. The impact is amplified by the scope and scale of typical crimeware campaigns. Expect to see signed malware reported more frequently.
All hope is not lost. Certificate authorities are actively revoking certificates from malware executables that are identified in the wild. This indicates that CAs do take their responsibilities seriously, though more diligence around buyers may help prior to the proverbial cat being out of the bag.
All graphics as well as a CSV of the hashes, day last observed, and signer chain of all 3,815 files are provided for analysis here:
Chronicle Researchers would like to thank https://twitter.com/malwrhunterteam for inspiring this study.