A code signing certificate is a digital certificate that allows software developers to sign their applications.
This ensures both the “authenticity of the publisher” and the “integrity of the code.”HarfangLab researchers recently discovered that threat actors have been actively abusing genuine code-signing certificates to evade detections.
Cybersecurity researchers recently identified a significant cyberthreat involving the “Lumma Stealer” malware in October 2024.
This cyber threat involving the “Lumma Stealer” is distributed via the “HijackLoader” malicious loader.
This campaign is dubbed as the “fake CAPTCHA” attack which “lures victims” to malicious websites where they unknowingly execute harmful “PowerShell commands.”
Analyse Any Suspicious Files With ANY.RUN: Intergarte With You Security Team -> Try for Free
Hackers Abuse Genuine Code-Signing Certificates
These commands generally “download” and “run” a ‘ZIP archive’ containing a “DLL sideloading package,” which then executes the “HijackLoader.”
A noteworthy development occurred on October 2, 2024, when a “signed HijackLoader” sample was detected.
While it’s been detected using a “legitimate code-signing certificate” to evade security measures.
This sample comes with the “SHA-256 hash 1839b7152814b16b9f28326081f16bf9c5bbbb380005232c92d25c9a3e36e337,” which was communicated with a C&C server at “me3ar40.quickworld[.]shop.”
The use of signed malware significantly reduced detection rates by “security products,” as illustrated by another sample (SHA-256: f158c65261bcab6e93927a219d12f596a4e40857bbd379f9889710ea17251e5e) impersonating the “Firefox” browser.
This evolution in tactics from “DLL sideloading” to signed binaries represents a sophisticated attempt to bypass traditional security measures which prompts further investigation into “compromised code-signing certificates” used in “malware distribution.”
Cybersecurity researchers initiated an investigation based on a HarfangLab EDR detection and uncovered multiple “abused code-signing certificates” used to sign malware.
They employed two main techniques:-
- First, they pivoted from known “HijackLoader” C2 hostnames like “quickworld[.]shop” by identifying signed executables accessing these URLs. This led to the discovery of two abused certificates.
- Second, they analyzed “binary metadata” (“copyright,” “original name,” “description”) of malicious samples, noting that some impersonated legitimate software like “Wise Folder Hider”.
They developed strong matches to flag suspicious binaries like “unsigned legitimate software with signed impersonators,” or “legitimate signed software with differently-signed impersonators.”
This process revealed three more abused certificates. The researchers iterated through these techniques which helped confirm malicious samples and extract new C2 domains for further analysis.
They reported the abused certificates to issuing authorities which resulted in cancellations within hours to a day.
While unable to definitively determine if the “certificates were stolen” or “deliberately created,” they noted the largely automated process of acquiring code-signing certificates.
The complete analysis highlighted that code signatures alone are insufficient for determining software trustworthiness.
This shows the need for “multi-layered detection strategies” including “behavior monitoring” and “in-memory scanning on endpoints.”
How to Choose an ultimate Managed SIEM solution for Your Security Team -> Download Free Guide(PDF)