Threat actors are increasingly mimicking legitimate software such as Skype and Adobe Reader to abuse code signing certificates and boost the success rate of social engineering attacks.
A study by VirusTotal, a public malware-scanning service owned by Chronicle, the security services arm of Google Cloud, has released a study that shows the extent to which abuse of code signing certificates has become a standard technique in malware.
The highlights of the study – Deception a At Scale: How Malware Abuses Trust – include:
- Since 2021, VirusTotal has found more than 1 million signed malicious malware samples. In 87% of the samples, the certificate used to sign them was valid when VirusTotal received the sample.
- 4000 samples either executed or were packed with legitimate app installers.
- Many of the most popular domains have distributed “suspicious samples,” including 10% of the Alexa Top 1000.
Some legitimate sites distributing malware are service providers, such as amazonws.com, squarespace.com, baidu.com, and archive.org. The users distributing malware are violating terms of service. Even so, many users will accept a properly signed program from a legitimate site as a matter of course.
Malware increasingly mimicking legitimate software
Malware has increasingly been mimicking legitimate software, with Skype, Adobe Acrobat, and VLC the most common. VirusTotal detects this partly by looking for embedded icons identical to legitimate ones. There was a burst of such malware in January and February of 2022.
The most-mimicked applications in the study were:
- Skype 28%
- Adobe Acrobat 18.2%
- VLC 17.6%
- 7zip 11.5%
- Team Viewer 7.5%
- CCleaner 5.6%
- Microsoft Edge 2.5%
- Steam (Valve) 2.3%
- Zoom 1.8%
- Whatsapp 0.8%
Certificate consumers defenseless against malware signed with legit certifcates
Using a similar technique, VirusTotal also looked at fake versions of legitimate web sites by comparing the favicon used on the site. A favicon is an icon associated with a web site. Some web browsers, including Safari, show them in the address bar along with the address. Chrome shows them in the Bookmarks Bar and menu. You’ll also find them on tabs and elsewhere. The three most-mimicked web sites found in this way were WhatsApp (23%), Instagram (22.5%), and Facebook (13%), with a big drop-off after that.
There was a time when conventional wisdom said that an executable was trustworthy when it was code-signed. Then it became clear that you needed to determine what entity was signing it. This remains best practice, but it’s not always enough. Certificate consumers are generally defenseless against malware signed with legit certificates from well-known entities.
There have been many cases where attackers have stolen the code signing certificates of legitimate software companies or hijacked their development facilities to sign malware. See Adobe, JMicron and Realtek (as part of the Stuxnet attack), SolarWinds, and Nvidia.
But if the certificates were still valid for 87% of the signed samples, they were invalid for 13%. This underscores the importance of revocation checking in all cases where you check if a certificate was signed.
“One of the most effective social engineering techniques consists of hiding malware by packaging it into installation packages with legitimate software. This becomes a supply chain attack when attackers get access to the official distribution server, source code, or certificates.”
--Deception at a scale, VirusTotal, August 2, 2022
Dirty secret of code signing
The study also shows the importance of vigorous malware scanning – probably with more than one antivirus engine – of all executables before they are installed anywhere. This, too, will root out many malicious samples. In some cases, you may want to scan executables using VirusTotal, which “inspects items with over 70 antivirus scanners and URL/domain blocklisting services, in addition to a myriad of tools to extract signals from the studied content.” Incorporating this as a standard practice may be difficult.
There’s also a dirty secret of code signing: if the signature passes the check and the application is installed, that’s the end of code signing’s usefulness. There is no process for notifying users who installed an application that the code signing cert for it was revoked.
The main call to action is to remind everyone who signs code of the importance of storing keys in HSMs where they will be well-protected. Protection of the build systems is every bit as important.