ZeuS variants hide behind snatched certificates

Copying certificates from legitimate files and mimicking signatures from certificate authorities is certainly not a new tactic in the cybercriminals’ arsenal, but is one that seems to gain traction.

The latest example comes from Trend Micro’s researchers, who detected a bunch of suspicious files whose signature seemed to belong to Kaspersky, the well-known security company.

A peek into the certificate revealed not only that the hash value of the file was invalid, but also that the signature had expired:

It seems that the criminals have a sense of irony, since the malicious files in question are ZeuS/ZBOT variants, and the copied signature comes from a Kaspersky tool designed to clean computers from precisely that Trojan family.