Code certificate

There's a thriving underground market for buying and selling code-signing certificates meant to help malware pass unnoticed by security scanners, but according to new research, the prices for such certificates are too high, and only a few hackers can afford one.

It's been known for years that the hardest malware to detect is the one that's signed with certificates issued to well-known and established companies.

But for a long time, it's been believed —and rightfully so— that hackers got their hands on such certificates by stealing them from the networks of legitimate companies, their partners, or the Certificate Authorities (CAs) themselves.

Most certificates obtained due to fraud, not hacking

New research published today reveals a different picture than most security experts believe. According to Andrei Barysevich, Director of Advanced Collection at Recorded Future, the vast majority of illicitly obtained certificates are available to cyber-criminals due to fraud and not hacking into a CA's network.

"It’s been generally accepted that security certificates circulating in the criminal underground were stolen from legitimate owners prior being used in nefarious campaigns," Barysevich tells Bleeping Computer.

"However, our most recent analysis indicates this is not the case. We have confirmed – with a high degree of certainty – that counterfeit certificates are created for specific buyers, per request, only and registered using stolen corporate identities," the experts adds.

How ordering a code-signing certificate works

In a report published earlier today, Barysevich reveals that crooks operate via online shops. Clients place an order, and the shop's owner goes to a CA to request the desired certificate for a fake app or website. To obtain one, he uses stolen identities from a legitimate company and its employees.

"It’s our belief that the legitimate business owners are completely unaware that their data was or is being used in these illicit activities," Barysevich says.

The expert's research also revealed that crooks found success in obtaining legitimate code-signing certificates from popular CAs such as Comodo, Thawte, and Symantec on a regular basis.

The sellers than hand over the certificates to the clients, who use them to encrypt HTTPS traffic or sign apps, making them appear as coming from a legitimate and trusted source.

Code-signing cert shops have been around since 2015

The first shops for selling certificates appeared in 2015. Recorded Future tracked four groups/individuals selling certificates on specialized underground hacking forums. While two have retired, two are still active, continuing to sell code-signing certs on Russian-speaking forums.

Prices for such code-signing certificates on the underground market range from $299 to $1,799, with the top-of-the-line products including EV (Extended Validation) certificates, the highest level of trust certificates can get.

Price tags for code-signing certs

However, despite a budding market for such AV evasion tools, they are still not very widespread among malware developers.

According to Barysevich, the high price is what keeps most malware authors away. This is because other AV evasion tools, such as crypters, are also still quite effective these days, and available for much smaller prices.

"While we don’t anticipate the widespread use of counterfeit [certificates], we do believe that sophisticated actors with specific targets will continue to rely on fake code signing and SSL certificates as a part of their operations," Barysevich tells Bleeping Computer, alluding to the fact that threat-actors who require stealth above efficiency will continue to rely on certificates on a regular basis, regardless of their price.

Related Articles:

Starting Today, Google Chrome Will Show Warnings for Non-Logged SSL Certificates

Mac Security Tool Bugs Allow Malware to Appear as Apple Software

Feds Ramp Up Investigations Into Online Harassment, Cyberstalking & Threats

Data of Over 200 Million Japanese Sold on Underground Hacking Forum

Google Chrome to Remove “Secure” Indicator From HTTPS Pages in September