Hackers are selling legal Code Signing Certificates

Security researchers report that hackers are selling legitimate code signing certificates to sign malicious code to bypass malware detection. Popular operating systems such as Mac default only allow running applications that use valid signatures. Hackers or malware authors often use stolen corporate certificate signature code to bypass malware detection.

However, researchers found hackers selling certificates from well-known CAs such as Comodo, Symantec and Thawte, and even Apple, with a normal certificate priced at $299 and an EV certificate priced at $1,599.

Researchers said hackers sold more than 60 certificates in just six months, but sales have plummeted as cheaper obfuscated technologies have been sold.

Network security appliances performing deep packet inspection become less effective when legitimate (legitimate certificate) SSL/TLS traffic is initiated by a malicious implant. Netflow (packet headers) analysis is an important control toward reducing risk, as host-based controls may also be rendered ineffective by legitimate code signing certificates.

Source: recordedfuture