Comodo center of certification (known now as Sectigo) released the greatest number of certificates that were used for signing of the malware program samples, found on VirusTotal.
It discovered Chronicle specialists during the conducted research.
The chain of trust is relatively straight-forward: certificates are signed (issued) by trusted certificate authorities (CAs), which have the backing of a trusted parent CA. This inherited trust model is taken advantage of by malware authors who purchase certificates directly or via resellers. Whether purchased directly or indirectly, due diligence into customers appears to be lacking.
“Unfortunately, system of certificates is built on a problematic core tenet: Trust”, — argue Chronicle experts.
In the research, Chronicle employees deepen in the analysis of executables Windows files (PE) that were uploaded in popular service of files’ analysis VirusTotal.
Next, experts highlighted signed malicious executables and broke them into two groups, with every of them using its own signature certificate.
Experts discovered that in 3815 studied malwares 1775 had Comodo certificate, 509 – Thawte, 261 – VeriSign, 131 – Symantec and 118 – DigiCert.
Collected data also showed that certificates from 21% of samples were recalled before May 8, 2019.
“All hope is not lost. Certificate authorities are actively revoking certificates from malware executables that are identified in the wild. This indicates that CAs do take their responsibilities seriously, though more diligence around buyers may help prior to the proverbial cat being out of the bag”, — argued Chronicle experts.
Experts highlighted that the only way to address using certificates in criminal purposes is their recalling.