New figures from Chronicle show that threat actors increasingly manage to abuse digital certificates in order to sign malware. As a result, operating systems can no longer reliably use such certificates to distinguish legitimate software from malicious programs.
The study, which looked only at highly malicious programs targeting Windows operating systems and ignored uncommon strains, discovered that over a period of twelve months, a total of 3,815 signed malware samples were uploaded to the online malware scanner VirusTotal. Certificate authority (CA) Sectigo accounted for around half of the signed samples.
The report states that “the chain of trust is relatively straight-forward: certificates are signed (issued) by trusted certificate authorities (CAs), which have the backing of a trusted parent CA. This inherited trust model is taken advantage of by malware authors who purchase certificates directly or via resellers.” While CAs regularly revoke certificates for software that turns out to be malicious, this rectifying mechanism is far from perfect.
Read more: Volume of Signed Malware Increases, CAs Need Better Vetting