Stuxnet-style code signing of malware becomes darknet cottage industry

Share this…

Even reports of crims offering signing-as-a-service.

Underground cybercrooks are selling digital certificates that allow code signing of malicious instructions, creating a lucrative and expanding cottage industry in the process, according to new research from threat intelligence firm InfoArmor.

In one case, a hacker tricked a legitimate certificate authority into issuing digital certificates for malware before marketing a cyber-espionage tool called GovRAT.

GovRAT is a malware creation tool that comes bundled with digital certificates for code signing initially sold through TheRealDeal Market, an underground marketplace on the so-called dark net that’s only accessible using TOR.

The cybercrime or cyber-espionage toolkit was offered for sale at 1.25 Bitcoin ($420, at current rates, or $1,000 at the time) before the seller began selling it privately.

This type of illicit trade is far from a one off.

InfoArmor found other posts promoting code-signing certificates1 in various underground marketplace. Hackers price these certificates at between $600-$900 depending on the issuing company. Code-signing certificates issued by Comodo, Thawte DigiCert and GoDaddy – firms well known for supplying digital credentials to legitimate software developers – are among those on offer.

Stuxnet-style code signing of malware becomes darknet cottage industry

Andrew Komarov, president and chief intelligence officer at InfoArmor, explained that these sellers are courting hackers and cyberspies looking to mount targeted attacks.

“[The buyers are] blackhats (mostly state-sponsored), malware developers,” Komarov told El Reg. “It is pretty professional audience, as typical script kiddies and cybercriminals don’t need such stuff. It is used in APTs, organised for targeted and stealth attacks. The appearance of such services on the blackmarket allow [hackers] to perform them much more easily, rather like Stuxnet.”

Stolen or fake certificates were discovered in the Stuxnet worm and the Sony hack, both high profile attacks. InfoArmor’s research suggests the technique is being made available to a far wider range of potential attackers.

“It is a pretty specific niche of modern underground market,” Komarov added. “It can’t be very big, as the number of certificates is pretty limited, and it is not easy to buy them, but according to our statistics, the number of such services is significantly growing.”

InfoArmor estimates crooks are getting hold of these certificates through resellers. “Bad actors buy digital certificates through resellers, where the due diligence of customers is pretty poor,” Komarov explained. “They provide fake names, or fake information about the author and purpose on why they need this certificate, and receive it. After they have received such certificates, they trade it on the blackmarket for malware developers, allowing them to create signed malware for further APT in several minutes.”

The certs can be used to sign far more than just executable files. It’s also possible to sign drivers, Microsoft Office documents, Java content and many other file types.

Russian-speaking hackers behind these sales boast that certification revocation, a process that would invalidate rogue code-signing certificate, is slow and (in any case) rare.

Some cybercriminals have even begun offering malware-signing-as-a-service, using prepared digital certificates. One such service ran from a website called before the domain was suspended. The hacker behind the operation is still in business, according to InfoArmor.

RAT pack

The GovRAT tool uses special tools for code signing such as Microsoft SignTool and WinTrust to digitally sign malicious code.

The same unidentified hacker also sold code signing certificates that used Authenticode technology2.

The GovRAT malware is probably designed for cyber espionage APT campaigns. The use of a digital certificate is designed to fool antivirus software. Once planted, malware signed using the tool can communicate over SSL, obscuring the exfiltration of sensitive data.

In samples intercepted by InfoArmor, miscreants are using one certificate per malware sample, signing each binary individually. GovRAT victims include political, diplomatic and military employees of more than 15 governments worldwide.

Seven banks, some in the US, and 30 defence contractors have also been targeted for attack. In addition, more than 100 corporations have been hit by malware developed using GovRAT since early 2014.

GovRAT features advanced self-encryption and anti-debugging tools. InfoArmor’s report on GovRAT and the wider trade in purloined code signing certificates can be downloaded from its website here(registration required).


1Code signing certificates are special certificates that allow developers to sign their software and its components (drivers, dlls, etc.). Signed software is normally interpreted as trusted on users computers and operating systems, making the abuse of signing technology interesting to spies and cybercriminals alike. Hackers use purloined certificates (stolen, or registered on another names and companies) in order to sign their malware.

2Microsoft Authenticode is used for digital certificates validation on Microsoft Windows. Redmond’s support means many publishers and developers use it in their own applications.