A large ChromeLoader campaign that uses valid 'code-signing' certificates to bypass Windows security policies has been identified by an HP Wolf Security report.
Threat actors using the ChromeLoader exploit may also be setting up fake companies in a bid to validate certificates for bogus PDF reader websites, the report noted. In signing the installation file with valid code signing certificates, the attackers are making malware more difficult to detect.
Here, they can target a broader pool of potential victims by delivering the malware inside fake software installers associated with popular search engine keywords, such as PDF conversion tools, household appliance manual readers, and other types of guides.
These campaigns also use 'malvertising' to guide victims to well-designed websites that offer seemingly legitimate tools like PDF readers and converters.
Once the infected site is visited, the attackers can then take over their victim's browsers, allowing them to redirect searches to attacker-controlled sites. With the code-signed certificate, the installation is not blocked by AppLocker security policies, and no warning is shown to the user.
HP's report theorizes that the code-signed certificates were either stolen from legitimate companies or that threat actors have set them up with generative AI tools for the sole purpose of obtaining valid code-signing certificates.
"Based on the script structure, consistent comments for each function, and the choice of function names and variables, we think it's highly likely that the attacker used gen AI to develop these scripts," HP Wolf's report noted. "The activity shows how gen AI is accelerating attacks and lowering the bar for cybercriminals to infect endpoints."
ChromeLoader underlines the growing threat of 'code signing'
A compromised certificate tells machines that software is safe, which allows it to be installed and run without raising any alarms. Under normal circumstances, if malicious software is detected, the machine would block the installation but the valid certificate, even with its malicious code, is treated as safe.
Against the backdrop of new AI attack methods, this abuse of code is creating cause for alarm, according to Kevin Bocek, the chief innovation officer at Venafi.
"Code signing certificates are incredibly powerful machine identities, and their misuse by attackers is a growing concern," said Bocek.
"If stolen – or fraudulently obtained – attackers can use them to distribute malware under a trusted name, making attacks like the ChromeLoader campaign identified by HP especially hard to stop."
Code signing has been used to great effect in several high-profile cases, such as the Nvidia certificate leak of 2022 and the SolarWinds breach, where code-signed malware was installed on millions of machines causing mass global disruption.
The latter was discussed at length in the ITPro Podcast.
Hackers target machine identities because they authenticate and authorize code, containers, and applications to connect and run. As cloud native technologies grow and more developers use tools like AI coding assistants, the need to secure machine identities like code signing certificates will become more urgent, according to Bocek.
He suggests that experts are calling for a control plane for machine identity that brings together protection across a business from code signing to Transport Layer Security (TLS) certificates.
"Neglecting this advice leaves companies dangerously exposed," Bocek added.
