Hiding Malware in Certificates

Late last year, Sophos published a blog post describing a new tactic in the arms race between hackers trying to sneak malicious content past anti-malware and data exfiltration scanners and the network defenders trying to stop them. The post was based on a Tweet by security researcher Paul Melson, where he shows an example of a malicious certificate that he came across in his research.

The sample malicious smart contract shown in Melson’s Tweet shows that this attack vector is still in the test phases, as the hidden code only tries to run a program that is already installed on the host computer (indicating that the computer has already been infected by malware). In this post, we’ll discuss how this new technique works and some of the possible applications.

Hiding Data in Fake Certificates

Digital certificates are a common sight on the Internet. Digital certificates provide a website’s public keys, which are used for verification of the website’s authenticity and for setting up encrypted communications for HTTPS-enabled sites. Digital certificates are such a common sight that most network defenders won’t think twice about them, making them an ideal candidate for a covert communication channel.

In this section, we’ll take a look at what a real digital certificate looks like, how to differentiate it from the fake ones used in this attack and how to decode the information contained in a digital certificate.

A Real Certificate

Before digging into the details of the fake certificate used in this attack, let’s take a look at what a real one looks like. Certificates have two main encoding styles: DER-encoded and PEM-encoded. As an example, we’ll use the digital certificate for infosecinstitute.com. [CLICK TO ENLARGE]

The image above shows a DER-encoded certificate opened in a hex editor. This is a binary file, including (Read more...)

*** This is a Security Bloggers Network syndicated blog from InfoSec Resources authored by Howard Poston. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/WUnmth5AOHw/