Malware Strikes With Valid Digital Certificate

One of the foundational elements of ecommerce is the web of trust enabled by digital certificates. When you go to a web site, you can feel confident that it's legitimate because it has a certificate from a recognized certificate authority that validates it. But the certificates themselves can be vulnerable. Case in point: Security firm Malwarebytes recently discovered some malware in the wild with a valid, signed digital certificate.

"One of our security researchers identified this piece of malware," says Jerome Segura, senior security researcher at Malwarebytes. "It's a typical Trojan with one peculiarity: It was signed, and unlike a lot of malware that uses signatures, this one was valid."

The malware is a banking/password stealer that Segura says uses email to spread. It appears to be a PDF invoice with a valid certificate issued to a real Brazilian software company called "Buster Paper Comercial Ltda," Segura says. The certificate was issued by SSL certificate authority DigiCert. Segura notes that although DigiCert has been notified about the malware, the certificate has not yet been revoked.

"I don't think it's stolen, per se," Segura says. "It looks like what [the criminals] did is they looked at this company in Brazil, which is a software company, and essentially made a request in their name to DigiCert. From the point of view of the certificate authority, it looks normal. [The criminals] probably spoofed the email address to buy the certificate. It looks to me as if it's too easy for anybody who does a bit of research to either impersonate a company or set up a fake web site as if it were a company and then buy a certificate."

When someone clicks on this particular piece of malware, Segura says, it opens what appears to be a PDF invoice. But it also creates a number of processes that connect to an enterprise cloud storage company.

"This is a sub-domain for a cloud storage company focusing on file sharing for the enterprise," Segura says. "Well, in our case, it's file storage for the criminals."

The fake PDF downloads two very large and WIDEAWAKE1.ecl. Segura notes that Malwarebytes has also reached out to the cloud storage company about the issue but have yet to receive a response.

Segura notes that ThreatExpert, provider of an automated threat analysis system, found a similar Trojan with a valid digital certificate last November. That Trojan's certificate has since been revoked.

"What we have here is a total abuse of hosting services, digital certificates and repeat offenses from the same people," Segura says. "Clearly if digital certificates can be abused so easily, we have a big problem on our hands."

Digital Certificates Used for Spear Phishing Attacks

"Digital certificate theft can be used in targeted attacks as [for] spear phishing, for example," Segura says. "As we know, one of the weakest links in the security chain is the end-user (and this is especially true in the enterprise world). An attacker can easily find out or guess what antivirus a company is running and craft a piece of malware that will not be detected by it. Because such attacks are very narrow, the sample will not be disseminated around the world, making its discovery less likely."

Segura recommends that end-users still check for valid digital certificates before opening an attachment received via email (even if they know the sender). But he also recommends following two basic but "powerful" rules:

  • Check the file extension and beware the multiple file extension trick (i.e., document.pdf.xls.exe)

  • Never trust file icons; just because it looks like a Word document or PDF, that doesn't mean it is

Thor Olavsrud covers IT Security, Big Data, Open Source, Microsoft Tools and Servers for Follow Thor on Twitter @ThorOlavsrud. Follow everything from on Twitter @CIOonline and on Facebook. Email Thor at

Join the CSO newsletter!

Error: Please check your email address.

Tags securityMalwarebytesmalware

More about FacebookIT SecurityMalwarebytesMicrosoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Thor Olavsrud

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place