Issued for Abuse: Measuring the Underground Trade in Code Signing Certificate

TL;DR

This paper investigates the underground trade of code signing certificates used for malicious purposes, analyzing vendor practices, market dynamics, and the relationship between certificates and malware in the wild.

Contribution

It provides a comprehensive analysis of the underground market for code signing certificates and how malware authors acquire and utilize these certificates, highlighting a shift towards underground vendors.

Findings

Underground vendors now dominate the acquisition of malicious code signing certificates.

Malware authors increasingly buy certificates from underground markets rather than compromised legitimate ones.

Demand for certificates is driven by the need to bypass security protections like Microsoft Defender SmartScreen.

Abstract

Recent measurements of the Windows code-signing certificate ecosystem have highlighted various forms of abuse that allow malware authors to produce malicious code carrying valid digital signatures. However, the underground trade that allows miscreants to acquire such certificates is not well understood. In this paper, we illuminate two aspects of this trade. First, we investigate 4 leading vendors of Authenticode certificates, we document how they conduct business, and we estimate their market share. Second, we collect a data set of recently signed malware and we use it to study the relationships among malware developers, malware families and the certificates. We also use information from the black market to fingerprint the certificates traded and to identify when the are likely used to sign malware in the wild. Using these methods, we document a shift in the methods that malware authors employ to obtain valid digital signatures. While prior studies have reported the use of code-signing certificates that had been compromised or obtained directly from legitimate Certification Authorities, we observe that, in 2017, these methods have become secondary to purchasing certificates from underground vendors. We also find that the need to bypass platform protections such as Microsoft Defender SmartScreen plays a growing role in driving the demand for Authenticode certificates. Together, these findings suggest that the trade in certificates issued for abuse represents an emerging segment of the underground economy.