Organizations use the certificates to authenticate their software and protect it against tampering.
By Andrei Barysevich, Recorded Future
We observed the earliest use of stolen code certificates in 2011, but it was not until 2015 that code signing certificates became widely available in the criminal underground.
Insikt Group identified four well-known vendors of such products since 2011; only two vendors are currently soliciting their services to Russian-speaking hackers.
The most affordable version of a code signing certificate costs $299, but the most comprehensive Extended Validation (EV) certificate with a SmartScreen reputation rating is listed for $1,599. The starting price of a domain name registration with EV SSL certificate is $349.
All certificates are issued by reputable companies, such as Comodo, Thawte, and Symantec, and have proved to be extremely effective in malware obfuscation. We believe that legitimate business owners are unaware that their data was used in the illicit activities.
Network security appliances performing deep packet inspection become less effective when legitimate (legitimate certificate) SSL/TLS traffic is initiated by a malicious implant. Netflow (packet headers) analysis is an important control toward reducing risk, as host-based controls may also be rendered ineffective by legitimate code signing certificates.