Researchers have identified a new threat actor that is using impersonation fraud to purchase digital certificates that are then used for the spread of malware.
Security firm ReversingLabs identified a bad actor that deceives certificate authorities into selling them legitimate digital certificates by impersonating company executives, according to a blog post by chief architect and co-founder Tomislav Pericin. Once purchased, the bad actor sells the certificates on the black market for digitally signing malicious files, mainly adware, he said.
“Certificates are valuable resources to threat actors, as their mere presence can reduce the chance of early malware detection,” he wrote. “This is particularly true for financially motivated actors.”
ReversingLabs used public threat intelligence data to reconstruct the timeline of a fraudulent purchase of digital certifications, including the impersonation of a legitimate entity. That included proof that the bad actors provided the purchased certificates to a cybercrime group and that they were used to spread malware via signed malicious files, according to the post.
Digital certificates allow their owners to cryptographically link ownership to a public key for authentication purposes. Exploiting them is a particularly dangerous and also a valuable way for threat actors to elude detection of their nefarious activities and fool users into downloading malware because it appears legitimate to their systems, Pericin wrote.
Indeed, while there are numerous protections in place to prevent fraudulent purchase of digital certificates–including continuous monitoring to ensure their validity–their inherent value to cybercriminals has long made them a target of exploitation.
Pericin outlined the several steps bad actors took in their purchase and abuses of the certificates in his post. The first step is to identify a target to impersonate by studying publicly available information and following particular selection criteria, which can take some time.
“A person well-established in their industry, with easily verifiable history is a preferred target,” Pericin wrote. “Since the goal is to acquire a code signing certificate, the perfect victim is someone working in the software industry.”
Once identified, threat actors then go about setting up legitimate-looking infrastructure for the entity they’re impersonating to convincingly deceive certificate authorities, researchers said. This involves registering a domain and using tricks such as redirecting emails so correspondence to the company being impersonated goes to attackers instead.
With everything in place, threat actors then proceed to purchase the certificates and verify them. This latter step is done in a unique way using a public antivrius scanning service so, once certificates are sold on the black market, the file scan record can act as “a clean bill of health” for potential buyers, Pericin wrote in the post.
ReversingLabs observed fraudulently obtained certificates being used to sign adware such as OpenSUpdater, an app that can install unwanted software on a client’s machine. While signing adware was the predominant use of the activity the company identified, other types of malware also were distributed using the certificates, researchers said.
Pericin acknowledged that the contemporary security environment makes it difficult for attackers to bypass protections and acquire digital certificates for fraudulent use. However, the impersonation scheme ucovered by ReversingLabs shows that “it is in fact possible to do so,” warning organizations to be aware.
“Certificates are a hugely important piece in building trusted environments,” he wrote. “Studying their use and misuse is the only way to preserve their relevance.”