A recent report by security researchers has revealed that a ransomware gang has been abusing Microsoft certificates to sign its malware and evade detection. The gang, known as Conti, is one of the most active and prolific ransomware groups in the world, responsible for hundreds of attacks on organizations in a variety of industries.
According to the report, Conti has been using a technique called “certificate spoofing” to make its malware look like legitimate Microsoft software. Certificate spoofing is a method of manipulating the digital signature of a file to make it look like it was signed by a trusted authority. In this case, Conti was able to spoof the certificate of Microsoft Windows Defender, the antivirus software built into Windows.
In doing so, Conti was able to bypass the security controls of Windows Defender and other antivirus products that rely on certificate validation. This allowed them to execute their ransomware payload undetected and unblocked by the system. The report also found that Conti was using a custom packer to obfuscate its malware code and bypass static analysis.
The researchers warned that certificate spoofing is a serious threat that can undermine the trust and security of digital certificates. They advised organizations to implement multiple layers of defense, such as behavioral analysis, network monitoring, and endpoint detection and response, to protect against ransomware attacks. They also recommended that Microsoft revoke forged certificates and update its signature verification process to prevent future abuse.
A new report reveals how a ransomware group known as “Cuba” has been exploiting Microsoft-certified malware to launch cyberattacks on various organizations in the U.S. and other countries. The group, suspected of operating out of Russia, has been active since at least 2020 and has targeted sectors such as healthcare, education and manufacturing. According to the report, Cuba has been using malware signed with valid Microsoft certificates, which means that the malware can bypass some security controls and appear more trustworthy to potential victims. The report also provides technical details on how the malware works and how it encrypts data on infected systems, demanding a ransom for recovery. The report warns that Cuba is likely to continue its malicious activities and advises organizations to take preventative measures to protect their networks and data from ransomware attacks.
Code signing is a crucial process that verifies the authenticity and integrity of software. It involves using a cryptographic certificate issued by a trusted authority to digitally sign the software. In this way, users can be sure that the software they download or install comes from a legitimate source and has not been tampered with.
However, code signing is not immune to attacks. Cybercriminals can exploit vulnerabilities in code signing infrastructure, such as stealing or forging certificates, compromising signing servers or abusing legitimate services, to sign their malware. This can help them evade security defenses and trick users into trusting their malware.
An example of this threat is Google’s recent discovery that some Android apps distributed through third-party channels were signed with compromised platform certificates. These certificates are managed by Android device manufacturers and are used to sign system components and pre-installed apps. Some of the malicious apps were found to contain parts of the Manuscrypt malware, which is linked to North Korean hackers targeting cryptocurrency platforms.
Another example is Mandiant’s observation that some ransomware groups use a common criminal service for code signing. The service provides stolen or fraudulently obtained certificates or signing services to threat actors for a fee. This allows them to circumvent endpoint detection and response products from various vendors.
These incidents highlight the need for increased vigilance and protection against code signing attacks. The security community must be aware of this emerging threat and implement additional security measures, such as verifying the reputation and validity of certificates, monitoring code signing activities and anomalies, and using multiple layers of defense. In addition, we may see more attackers attempt to copy this type of attack in the future.