A new report, released by Recorded Future, has found criminal gangs have escalated their use of certificates in order to circumvent some current malware blocking tools. While this isn't a new tactic, the researchers noted a significant rise in the use of this technique.
One of the tools that can be used to stop potentially malicious software from executing is to ensure the code is signed using a trusted certificate authority. But, by stealing legitimate certificates, malware developers can bypass that later of protection. The certificates that are stolen come from reputable certificate authorities including Comodo, Thawte, and Symantec with prices ranging from around $300 all the way to $1800 depending on the issuer of the certificate.
These prices are significantly above the "face value" which is why Recorded Future doesn't expect these to become a mainstream element of common attacks. The costs outweigh the potential benefits unless the targets are high value.
The cybersecurity business is a constant game of whack-a-mole or catchup/leapfrog. As the bad guys come up with new attack methods, and defensive capabilities improve we can expect to see threat actors look for new ways to promulgate malware. The use of certificates is likely to become more common in attacks further up the value chain, such as when seeking to steal valuable data from some targets. But, as stolen and counterfeit certificate are identified and blocked, it remains important to keep your security software, operating system and applications patched and up to date.