A New Kind of Certificate Fraud: Executive Impersonation (Sep 16, 2019)
ReversingLabs have published research on the impersonation of executives through the utilization of digital certificates. The research, based on an unidentified company, provides a timeline reconstruction of an executive impersonation attack used to obtain valid digital certificates. Financially-motivated actors can reduce the chance of their malware being detected by purchasing digital certificates on the black market. Digital signatures assist threat actors in appearing as legitimate entities, and the actors observed in the theft and resale of the certificates have likely targeted more than a dozen undisclosed businesses, according to researchers at ReversingLabs.
Recommendation: Exercise caution when whitelisting certificates based on whether they are signed or not. As this story demonstrates, a certificate can be signed, however make sure it is signed by a known vendor, especially when containing executables.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.