Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Trust for Sale

Let's, for a moment, get into the mind of a cyber criminal:

Say you have a malicious executable that steals sensitive data (credit card numbers, credentials, etc.), which you would like to execute on compromised computers. You put lots of efforts into developing the Trojan, and you want to stay under the radar as much as possible. You know that when an unsigned executable or an executable signed by an untrusted certificate is executed, it alerts the user with alerts similar to the following samples:

Executed via browser:

10984_a2b203de-b3ba-4d53-8973-91b2f1313860

Or if opened via windows explorer:

7643_01aa4536-57d9-4563-9896-aa5e18a91715

You also know that there are even some security products that block unsigned or untrusted binaries.

To stay on the safe side and increase your chances of success, you want to sign the malicious exe file with a trusted certificate.

But where can you find a trusted certificate you can use to sign the malicious file?

It's quite obvious that applying for a certificate from one of the trusted CAs (Certificate Authorities) is not realistic since you have to identify yourself to the CA and later that identity will be attached to the file. Attaching your identity to malware is, well, not recommended.

You've also heard of APT campaigns such as Stuxnet and Duqu that used signed executables and trusted certificates. But the authors behind these campaigns were obviously resourceful enough to overcome this problem with methods not available to the average criminal.

So what could our average Joe criminal do in order to resolve this "problem"?

Not surprisingly, the underground hacking forums occasionally present some forbidden fruits for sale. A few days ago we came across a post in one of those forums selling two valid certificates:

8232_1dc9b023-fc4a-4ee8-82c1-a0874a6bcf84

Translation:

"Got two trusted certificates for signing exe.

The first is valid until December 2013 - 700 WMZ.
The second is valid until March 2015 – 900 WMZ.

People who don't know what to do with them or people who are only willing to pay a small price – don't bother me.

Jabber: ####..."

Later in the thread the owner of the certificates added additional details about them:

  • The certificates were issued by Comodo and VeriSign.
  • VeriSign's certificate is valid until December 18th 2013
  • Comodo's is valid until March 13th 2015.

Both of them were already sold by the time we got to this thread.

Seeing valid certificates from well-known CAs up for sale is always surprising and the price is even more surprising: only ~$700 for the first certificate. Maybe stolen certificates are not as rare as we thought?

We don't know where this guy got the stolen certificates from, but we can share some of our educated guesses. The most common way involves a Trojan installed on some unsuspecting certificate owners' machines.

A recent example we blogged about is the Pony Trojan:

9813_6d763bbc-389e-485a-987a-cb07478cd88e

That is a print screen of the Pony 1.9 control panel. One of the statistics lines shows the number of successfully stolen certificates.

And here is a code snippet of the Trojan, which is responsible for grabbing the certificates from the affected machine:

12055_d6f8a687-cf4e-4155-9b76-855e406fa078

The GrabCert method is using some crypt32.dll methods to extract the certificates. The MyCertOpenSystemStore method is responsible for opening the certificate store. The call to MyCertEnumCertificatesInStoremethod is made for retrieving a certificate from the cert store. The Trojan goes over all the certificates in the cert store using a ".WHILE TRUE" loop.

These certificates are later dispatched to the C&C server together with additional data that was leeched from the affected machine.

Who knows? Maybe one of those stolen certificates is later found for sale in a forum for 700 WMZ?

….

I would like to thank my colleagues Arseny Levin and Anat Davidi for their help with the research put into this blog.

Latest SpiderLabs Blogs

Hunting For Integer Overflows In Web Servers

Allow me to set the scene and start proceedings off with a definition of an integer overflow, according to Wikipedia:

Read More

Welcome to Adventures in Cybersecurity: The Defender Series

I’m happy to say I’m done chasing Microsoft certifications (AZ104/AZ500/SC100), and as a result, I’ve had the time to put some effort into a blog series that hopefully will entertain and inform you...

Read More

Trustwave SpiderLabs: Insights and Solutions to Defend Educational Institutions Against Cyber Threats

Security teams responsible for defending educational institutions at higher education and primary school levels often find themselves facing harsh lessons from threat actors who exploit the numerous...

Read More