A large ChromeLoader campaign that uses valid 'code-signing' certificates to bypass Windows security policies has been identified by an HP Wolf Security report.
Threat actors using the ChromeLoader exploit may also be setting up fake companies in a bid to validate certificates for bogus PDF reader websites, the report noted. In signing the installation file with valid code signing certificates, the attackers are making malware more difficult to detect.
Here, they can target a broader pool of potential victims by delivering the malware inside fake software installers associated with popular search engine keywords, such as PDF conversion tools, household appliance manual readers, and other types of guides.
These campaigns also use 'malvertising' to guide victims to well-designed websites that offer seemingly legitimate tools like PDF readers and converters.
Once the infected site is visited, the attackers can then take over their victim's browsers, allowing them to redirect searches to attacker-controlled sites. With the code-signed certificate, the installation is not blocked by AppLocker security policies, and no warning is shown to the user.
HP's report theorizes that the code-signed certificates were either stolen from legitimate companies or that threat actors have set them up with generative AI tools for the sole purpose of obtaining valid code-signing certificates.
"Based on the script structure, consistent comments for each function, and the choice of function names and variables, we think it's highly likely that the attacker used gen AI to develop these scripts," HP Wolf's report noted. "The activity shows how gen AI is accelerating attacks and lowering the bar for cybercriminals to infect endpoints."
ChromeLoader underlines the growing threat of 'code signing'
A compromised certificate tells machines that software is safe, which allows it to be installed and run without raising any alarms. Under normal circumstances, if malicious software is detected, the machine would block the installation but the valid certificate, even with its malicious code, is treated as safe.
Against the backdrop of new AI attack methods, this abuse of code is creating cause for alarm, according to Kevin Bocek, the chief innovation officer at Venafi.
"Code signing certificates are incredibly powerful machine identities, and their misuse by attackers is a growing concern," said Bocek.
"If stolen – or fraudulently obtained – attackers can use them to distribute malware under a trusted name, making attacks like the ChromeLoader campaign identified by HP especially hard to stop."
Code signing has been used to great effect in several high-profile cases, such as the Nvidia certificate leak of 2022 and the SolarWinds breach, where code-signed malware was installed on millions of machines causing mass global disruption.
The latter was discussed at length in the ITPro Podcast.
Hackers target machine identities because they authenticate and authorize code, containers, and applications to connect and run. As cloud native technologies grow and more developers use tools like AI coding assistants, the need to secure machine identities like code signing certificates will become more urgent, according to Bocek.
He suggests that experts are calling for a control plane for machine identity that brings together protection across a business from code signing to Transport Layer Security (TLS) certificates.
"Neglecting this advice leaves companies dangerously exposed," Bocek added.
-
Bigger salaries, more burnout: Is the CISO role in crisis?In-depth CISOs are more stressed than ever before – but why is this and what can be done?
-
Cheap cyber crime kits can be bought on the dark web for less than $25News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
‘Phishing kits are a force multiplier': Cheap cyber crime kits can be bought on the dark web for less than $25 – and experts warn it’s lowering the barrier of entry for amateur hackers
News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
Seized database helps Europol snare botnet customers in ‘Operation Endgame’ follow-up stingNews Europol has detained several people believed to be involved in a botnet operation as part of a follow-up to a major takedown last year.
-
This potent malware variant can hijack your Windows PC, steal passwords, and more: Neptune RAT is spreading on GitHub, Telegram, and even YouTube – and experts warn 'anyone could use it to launch attacks'News Neptune RAT can hijack Windows PCs and steal passwords – and it's spreading fast
-
Warning issued over ‘fast flux’ techniques used to obscure malicious signals on compromised networksNews Cybersecurity agencies have issued a stark message that too little is being done to sniff out malware hiding in corporate networks
-
Fake file converter tools are on the rise – here’s what you need to knowNews The FBI has issued an alert over the rise of fake file converter tools available online after observing a spate of scams and ransomware attacks.
-
Forget MFA fatigue, attackers are exploiting ‘click tolerance’ to trick users into infecting themselves with malwareNews Threat actors are exploiting users’ familiarity with verification tests to trick them into loading malware onto their systems, new research has warned.
-
A ‘significant increase’ in infostealer malware attacks left 3.9 billion credentials exposed to cyber criminals last year – and experts worry this is a ticking time bomb for enterprisesNews The threat of infostealer malware is on the rise, with 4.3 million machines infected last year alone
-
Why ‘malware as a service’ is becoming a serious problemNews Researchers have issued a warning over the rise of 'malware as a service' platforms amid a surge in attacks over the last year.
