Sale of legitimate code-signing certs booms on darknet markets
In the underground cybercrime economy, many players have specialized in one or two skills and services.
It should come as no surprise, then, that some have become experts at getting digital certificates from legitimate certificate authorities, which they go on to sell to those criminals willing to pay for them so they can sign their malware and make target machines “trust” it.
According to researchers from security firm InfoArmor, there are many who are selling code-signing certificates on a number of darknet markets, and their number is slowly increasing.
Depending on who issued the certificate, they can get between $600 and $900 for one certificates. They rarely, if ever, go directly to the source. Instead, they target certificate resellers, who are more lax when it comes to performing checks on the customer.
“They provide fake names, or fake information about the author and purpose on why they need this certificate, and receive it,” InfoArmor president and CIO Andrew Komarov shared with The Register.
The final buyers of the issued certificates are mostly state-sponsored attackers and malware developers, who are looking to make their malware stealthy in order to execute successful persistent, targeted attacks.
Even though the price isn’t that steep, cybercriminals pushing banking Trojans and similar malware on “regular” users usually don’t use code signing certificates. Their target groups are lage enough, most of these users are not that tech savvy, and their machines are not protected enough to stop unsigned malware.
Komarov says that there some cybercriminals offer malware-signing-as-a-service. One even offers a complete malware creation toolkit than includes digital code signing as a feature.
The tool is dubbed GovRAT, and has been spotted being sold on the TheRealDeal Market for 1.25 Bitcoin for a while, until the seller decided to concentrate on private sales.
The tool is intended for APT attackers. Each malware sample created gets its own, unique certificate.
According to the researchers, malware created and signed with GovRAT has been used for targeting political, diplomatic and military employees of over 15 governments around the world, including the US. Other targets include corporations and financial institutions.