When/if it is used to sign malware, we'll also track these in the CertGraveyard.org database.
Some recent examples were subsequently used to sign a fake RVTools installer: x.com/g0njxa/status/...
Others, were used to sign CastleLoader.
3/4
Squiblydoo
BlueVoyant published their analysis of the LoremIpsumLoader that I've been tweeting about. www.bluevoyant.com/b...
The CertGraveyard had recorded 13 code-signing certificates, mostly Microsoft Trusted Signing certs used for the campaigns.
h/t @tsnikle
Low detection CastleLoader signed "SOFTWARE ANALYTICS LIMITED":
f50f825a64cb9c0435bc11db9225445687f8d1a44dba972a50ffa4dff600e72f
They changed from EXE to MSI
C2: arqeluno[.]com
We're seeing these regularly though our monitoring of MalwareBazaar. Bitsight is uploading them when they are observed being dropped by GCleaner.
The certificates follow patterns that we are already tracking and seeing be used for malware later.
2/4
We report certificates for revocation when they sign malware.
What about before they sign malware?
I've started adding certificates to Cert Graveyard that are being used to "warm" the certificate and improve it's score before being sign malware.
1/4
We're working to get better attention on these certificates before they are used to sign malware. We're also working to better understand how these certificates are acquired. Interested in contributing? join the debloat discord: discord.gg/dvGXKaY5qr
4/4
Off-topic
My favorite game studio has announced their new game: Knuckle Paradise.
In their discord discord.gg/flyingoak
If you could join the Discord and vote for me in the "chicken-fight-club" channel, it would be greatly appreciated.
Game trailer below.
