W3 May | EN | Story of the week: Code Signing Certificate on the Darkweb

Hyunmin Suh

Published in

S2W BLOG

8 min readMay 17, 2021

Trust but verify

Co-Author: Denise Dasom Kim, Jungyeon Lim, YH Jeong | S2W LAB Talon

Executive Summary

Code signing certificates have been used since Stuxnet incident (2011) as of today. Malware using code signing certificate is classified as highly reliable software and is less likely to be detected by Anti Virus (AV). It is known that attackers prefer code signed certificates as the most of current Internet and security systems are oriented toward trust and reputation dependent models.

Code signing certificates began to be sold on the dark web from around 2015 to 2016, and are mostly spotted on Russian speaking forums. Until recently, code signed certificates are being sold by various sellers on the forums and prices ranging from $400 to $3500 depending on the grade of the certificate.

It is important to consider the fact that this criminal ecosystem being active is that sellers have been constantly supplying certificates of legitimate companies, which can be seen that those of companies and developers’ lack of security awareness and negligence of management provided the cause of hacking code signing certificates processing servers.

Most of the code signing certificate issues had already been a big issue in the past, so many people regard this issue as just an old case. However, attackers are still interested in code signing certificate servers and still being traded on the dark web or via hidden channels.

Code signing certificate sales posting in the dark web

According to the seller, it can issue a certificate of global brand C that issues SSL certificates. And the price ranges from $500 to $2600.

If you develop a software without code signing, the biggest difference is in the User Account Control (UAC) part when executing the software.

Image from SSL2BUY (https://www.ssl2buy.com/wiki/regular-code-signing-vs-ev-code-signing)

CodeSigning vs SSL Certificate

Image from SECTIGO store (https://sectigostore.com/blog/differences-between-ssl-certificates-and-code-signing-certificates/)

As can be seen from above diagram, the main difference between SSL certificate and code signing certificate is whether you own a website or you publish downloadable software, applications, etc.

If so, let’s have a look how the EV is different in the code signature.

Code Signing vs Code Signing EV

The code signing EV mentioned by seller means Extended Validation (EV) code signing certificates, which differs from the general code signing certificate in that the private key is stored in a separate hardware token in the case of EV. The most noticeable difference when running the software is that the Windows Smart Screen Filter warning does not appear when using EV code signing certificates.

Image from Code Signing Store (https://codesigningstore.com/code-signing/digicert-ev-code-signing?gclid=CjwKCAjwy42FBhB2EiwAJY0yQllulxfYB-XGcN0Cesmj4AJocNnjPxlpWk4KNyOdEV1MkriGQm5IgRoCdV4QAvD_BwE)

Because of this, many cybercriminals use code signed certificate to increase the success rate of attacks when creating malwares.

However, the certificate cannot be issued by anyone, it is required to submit documents such as business registration certificate, tax payment certificate, and etc. to authorities and go through examination process. Therefore, attackers directly steal the code sign certificate by compromising legitimate company’s certification server, or purchase it from the dark web sellers.

Then, let’s take a look at how many sellers are still active on the dark web forums.

Code Signing Certificate Sellers on the dark web

As can be seen from the table, users have been active from at least 2 months to 7 years. In this regard, code signing certificates can be seen as quite a popular product on the dark web.

Seller’s Posts in Exploit[.]iN Forum

Megatraffer

Digital certificates for sale, from the oldest and most trusted service!🎖️We offer:
- regular (non-EV) code signing certificates
- EV code signing certificatesPrice
- non-EV certificate - $700- EV code signing certificate - $3500All certificates:
- valid for 1 year, can also make them for 2 yearsWhy signing files?
- to avoid red/yellow UAC warnings
- to avoid SmartScreen alerts
- signed software is much more trusted by users
- some antiviruses block ALL unsigned software from being executedBenefits of EV Code Signing certificates
- removes SmartScreen blue windows immediately
- maximum level of trust by AVs
- EV certificate is a 'must have' if you want to sign drivers for Windows 10Contact:***sanitized by s2wlabDouble-check contact details before sending money! Beware of scammers!

Seller’s Posts in XSS[.]IS Forum

Firefox

There is a ready-made C**** Code Signing certificate (standard), made for sale, released on 04/15/2019, valid for 1 year.Price: 350 $In the future, I am considering the possibility of manufacturing the entire range of certificates from C***, both ready-made and to order.When buying this product, you yourself must understand what it is for and how to use it.Also, along with the certificate, you can redeem the C**** account associated with it - in this case, the price is negotiated individually.
If there is a stable demand, we will gradually expand the range and volumes. A similar top on the ex: / topic / 155539 /***sanitized by s2wlab

Seller’s Posts in Telegram

SamCodeSign

⚡️⚡️⚡️Сертификаты в наличии / Certificates in stock⚡️⚡️⚡️
    
🇺🇸🇺🇸🇺🇸1)
Type: EV Code Signing
Status: New 🔥
Term: 1 year
CA: S***
Conditions: Installed on a token. Only shipping is at the buyer's expense.
Quantity: 4 in stock
Price: $3300. 💵2)
Type: EV Code Signing
Status: New 🔥
Term: 1 year
CA: D***
Conditions: Remote installation on your token.
Quantity: 1 piece in stock
Price: $3600. 💵3)
Type: EV Code Signing
Status: Old ⏳
Term: until June 26, 2021
CA: G***
Conditions: Remote installation on your token.
Quantity: 1 piece in stock
Price: $2600. 💵

Conclusion

Malware signed with stolen certificates have been found constantly. As mentioned earlier, the reason why the criminal ecosystem is still active today is that there is an abundance of supply chains in which hackers constantly bringing legitimate companies’ certificates.

It is difficult for general companies to cope with malicious code signed with legitimate companies certificates. Therefore, the most fundamental solution is to raise the security awareness of companies and developers for the code signing certificate server and manage them in cautious manner.

References to past cases related to code signing certificates

Case 1 : Private-Key Stolen

Stealing the private-key of a normal software developer, signing the malicious code they developed, and disguised as a legitimate program

Case 1–1. Stuxnet malware incident related

Date of incident: January 2011
Malware used: Trojan — Zeus
Incidents explained: Use of stolen digital signatures by Realtek Semiconductor Corp. based in Taiwan

Digital signature that was stolen at the time of incident (see the reference 13)

According to Kaspersky, JMicron and Realtek announced the possibility of infection with Zeus, a Trojan that steals digital signatures. They also provided that digital signatures stolen could not only be used by attackers on the stuxnet driver, but could also be sold on the black market.

Case 1–2. Sony Pictures hacking incident related

Date of incident: November 2014
Malware used: Destover Malware
Incidents explained: Destover Malware signed by stolen sony certificate, and hijacked pfx file

Case 2 : Compromised Code Signing Process Server

Signing malicious codes of hackers by compromising the server that performs code signing process.

Case 2–1. Adobe hacking incident

Date of incident: September 2012
Malware used: pwdump7 v 7.1, myGeeksmail.dll
Incidents explained: Attackers penetrated the network and reached a build server on which they requested a signature for two malicious utilities.

Case 2–2. Bit9 system hacking incident related

Date of incident: February 2013
Malware used: Trojan, Backdoor.Hikit
Incidents explained:
- Web Server hacked by SQL injection, and installed Backdoor.Hikit
- Accessed to virtual machine that processes digital signature
- 32 malicious file’s been tampered

Case 3 : Direct Attack on Certificate Authority

Compromising the Certificate Authority (CA) that issues code signing certificate and manipulating them to issue code signing certificates for attacker

Case 3–1. Comodo Certificate Authority (CA) breached case

Date of incident: March 2011
Malware used:
Incidents explained:
- Create a new ID after hijacking a user account registered with RA in South Africa (InstantSSL.it), issuing 9 fake certificates
- ComodoHacker gets a full access to the RA network then reverse engineered the DLL (TrustDll.dll) handling certification request
- ComodoHacker post : https://pastebin.com/DBDqm6Km
- The username and password are hard-coded in the DLL file, allowing hackers to connect directly to the API used to sign certificates
- Created its own CSR (Certificate Signing Request), then signed with the API already have an access to, and issued 9 fraudulent certificates for the CAs mentioned above

Case 3–2. DigiNotar Certificate Authority (CA) breached case

Date of incident: August 2011
Vulnerability used: Web server vulnerability
Incidents explained:
- Google’s chrome team discovered that DigiNotar-issued certificate doesn’t match google.com’s internal list of certificates
- Web server hacked → Office-Net hacked → Secure-Net hacked including CA server → Activated Remote Desktop protocol and connected
More than 531 fraudulent certifications has been issued.
DigiNotar — Bankrupted due to its hacking incident
Attacker’s note : https://pastebin.com/1AxH30em