{"id":590,"date":"2022-09-02T02:54:00","date_gmt":"2022-09-02T02:54:00","guid":{"rendered":"https:\/\/www.cloudcoffer.com\/?p=590"},"modified":"2023-03-01T02:58:46","modified_gmt":"2023-03-01T02:58:46","slug":"is-a-valid-digital-signature-good-enough-to-show-that-a-program-is-not-malicious","status":"publish","type":"post","link":"https:\/\/www.cloudcoffer.com\/?p=590","title":{"rendered":"Is a valid digital signature good enough to show that a program is not malicious?"},"content":{"rendered":"\n

Introductions<\/strong><\/p>\n\n\n\n

Many antivirus\nvendors whitelist software, which is signed by valid digital certificates. They\ndo that because there are gray areas to judge between normal software or\nmalware. For example, some RDP software retrieves credentials from Windows registries,\nbut the behavior is typically deemed as malicious. Due to these types of gray\nareas, if a piece of software is signed by valid digital certificates, then\nsecurity controls may just bypass it, without scanning it. <\/p>\n\n\n\n

However, according\nto CloudCoffer intelligence, many cyber criminals have been able to use these\nvalid digital certificates to sign malware and do malicious behavior. It is happening\nin the worldwide now.<\/p>\n\n\n\n

Under the circumstances, malware that is signed by valid digital certificates has been compromising organizations, without being noticed.<\/p>\n\n\n\n

<\/p>\n\n\n\n

<\/p>\n\n\n\n

Analysis<\/strong><\/p>\n\n\n\n

CloudCoffer has\nfound that in these days, malware is widely signed by valid digital signatures\nof corporations and exists in corporations. One example is that the digital\ncertificate \u201cF518FAD5DEC9E0500DA1C1598C4B0FFC0268B2D0\u201d of a multinational\ntechnology company was stolen, and much malware has been signed by it. The\nfollowing diagram shows the detailed information of the stolen digital\nsignature.<\/p>\n\n\n\n

Under the circumstances, malware that is signed by valid digital certificates has been compromising organizations, without being noticed.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Diagram 1: Stolen digital signature from the multinational technology company<\/p>\n\n\n\n

One hash value of the sample malware is “44da6217702a77c01ed9735e67d6fffee11de2298aaaea899ddbc39da26460e0.\u201d<\/p>\n\n\n\n

If victims are infected by the malware, attackers may read private messages, connect to C&C servers, and steal sensitive information from browsers, from the victims\u2019 systems. The malware also tries downloading an executable file named \u201cbuild.exe\u201d, which connects the victim\u2019s systems to 142.250.180.142, which is currently abused as a C&C server. The following diagram from \u201cabuseipdb.com\u201d shows 142.250.180.142 was reported to execute malicious behavior like \u201cFraud Orders\u201d, \u201cDDoS attack\u201d, \u201cHacking\u201d, etc.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Diagram 2: abuseipdb.com shows that 142.250.180.142 is involved with many cyber criminal events.<\/p>\n\n\n\n

In another example, the digital certificates of governments are leaked by 3rd<\/sup> development parties, and attackers have used the digital certificates to release malware. The attackers have sent internal sensitive information through root DNS, which\u2019s IP address is 198.97.190.53. Because 198.97.190.53 is a root DNS, many security controls have also whitelisted it. Even if 198.97.190.53 is a root DNS, as the following diagram, it was reported to join cyber attacks from \u201cabuseipdb.com\u201d.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Diagram 3: Root DNS was reported to join cyber\nattacks<\/p>\n\n\n\n

As mentioned, these types of attacking events are growing.<\/p>\n\n\n\n

<\/p>\n\n\n\n

<\/p>\n\n\n\n

Conclusions<\/strong><\/p>\n\n\n\n

We are taught a\nlesson that digital signature is just one of the many factors to classify that\nthe software may be trustworthy, but it should not be the only factor. Not only\ndigital certificates stolen from known enterprises, we have identified that\nsome malware is signed by valid digital certificates of governments. After\ninvestigating, we find that the governments have outsourced the codes to 3rd<\/sup>\nparties, and the 3rd<\/sup> parties accidentally leaked the digital\ncertificates. This is one of the reasons why attackers can sign their own\nmalware with these valid digital certificates.<\/p>\n\n\n\n

\u201cWhitelist\u201d is a\nway to make things easier, but it can also be the weakest link in our\ninfrastructure. Security teams shall pay extra attention to these types of\nbreaches.<\/p>\n\n\n\n

<\/p>\n","protected":false},"excerpt":{"rendered":"

Introductions Many antivirus vendors whitelist software, which is signed by valid digital certificates. They do that because there are gray areas to judge between normal software or malware. For example, some RDP software retrieves credentials from Windows registries, but the behavior is typically deemed as malicious. Due to these types of gray areas, if a Read more about Is a valid digital signature good enough to show that a program is not malicious?<\/span>[…]<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[15,14],"class_list":["post-590","post","type-post","status-publish","format-standard","hentry","category-uncategorized","tag-digital-signature","tag-malware"],"_links":{"self":[{"href":"https:\/\/www.cloudcoffer.com\/index.php?rest_route=\/wp\/v2\/posts\/590","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cloudcoffer.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cloudcoffer.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cloudcoffer.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cloudcoffer.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=590"}],"version-history":[{"count":4,"href":"https:\/\/www.cloudcoffer.com\/index.php?rest_route=\/wp\/v2\/posts\/590\/revisions"}],"predecessor-version":[{"id":597,"href":"https:\/\/www.cloudcoffer.com\/index.php?rest_route=\/wp\/v2\/posts\/590\/revisions\/597"}],"wp:attachment":[{"href":"https:\/\/www.cloudcoffer.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=590"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cloudcoffer.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=590"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cloudcoffer.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=590"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}