Certified Bad:

One malware, Two years of Certificates.

Squiblydoo

Authenticode Certificates are intended to ensure that software is created by vetted parties and that the software can be trusted; however, malware is often signed with valid Authenticode certificates and the process for signing malware and the implications are often misunderstood within InfoSec.

My presentation presents lessons learned from studying and documenting the Authenticode Certificates used by the SolarMarker malware actor. The research looks over 2 years and 50 Authenticode certificates that I personally documented and reported for revocation. 

This presentation explains the economy and roles in the Authenticode market and then uses SolarMarker as an in-depth case study. Understanding the certificate economy will highlight how certificates are obtained, how they are vetted by detection engines, and how they are understood by the InfoSec community. The in-depth case study covers how the SolarMarker actor has used certificates and discusses collisions between Authenticode Certificates and other malware. Examples of collisions are instances where SolarMarker has used the same Authenticode Certificate that was used to sign other malware, such as ZLoader and IcedID.