General security

Hiding malware in certificates

Howard Poston
February 13, 2019 by
Howard Poston

Late last year, Sophos published a blog post describing a new tactic in the arms race between hackers trying to sneak malicious content past anti-malware and data exfiltration scanners and the network defenders trying to stop them. The post was based on a Tweet by security researcher Paul Melson, where he shows an example of a malicious certificate that he came across in his research.

The sample malicious smart contract shown in Melson’s Tweet shows that this attack vector is still in the test phases, as the hidden code only tries to run a program that is already installed on the host computer (indicating that the computer has already been infected by malware). In this post, we’ll discuss how this new technique works and some of the possible applications.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

Hiding data in fake certificates

Digital certificates are a common sight on the Internet. Digital certificates provide a website’s public keys, which are used for verification of the website’s authenticity and for setting up encrypted communications for HTTPS-enabled sites. Digital certificates are such a common sight that most network defenders won’t think twice about them, making them an ideal candidate for a covert communication channel.

In this section, we’ll take a look at what a real digital certificate looks like, how to differentiate it from the fake ones used in this attack and how to decode the information contained in a digital certificate.

A real certificate

Before digging into the details of the fake certificate used in this attack, let’s take a look at what a real one looks like. Certificates have two main encoding styles: DER-encoded and PEM-encoded. As an example, we’ll use the digital certificate for infosecinstitute.com. [CLICK TO ENLARGE]

The image above shows a DER-encoded certificate opened in a hex editor. This is a binary file, including strings describing the certificate authority (GoDaddy) and the website that the certificate maps to (infosecinstitute.com). The main issue with this encoding of the certificate is that it includes unprintable ASCII characters, which some Internet protocols (like SMTP) cannot transmit or process.

PEM-encoded certificates (like the one above) are designed to be transmittable and usable by any Internet protocol. They take the raw data from the DER-encoded certificate and transform it (using Base64 encoding) into only printable ASCII characters. This version also has -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- tags to help identify that this is a certificate file.

 

The certificate used in this attack is PEM-encoded, because Base64 encoding hides strings included in the original certificate (note that you can’t see infosecinstitute.com in the new version), raising the bar for scanners attempting to identify suspicious or malicious documents passing the network perimeter.

A fake one

Now that we’ve seen what a real certificate looks like, let’s take a look at the malicious one shared in Paul Melson’s Tweet. A screenshot of the certificate is shown below, and the complete certificate can be found here.

To the casual glance, this certificate looks a lot like the one that we saw in the previous section. It has the -----BEGIN CERTIFICATE----- opening of certificates followed by a long block of Base64-encoded text and the END CERTIFICATE tag. However, this is very clearly a fake certificate.

If you’ve performed reverse-engineering, you may be familiar with the concept of “magic numbers.” These are values, usually found near the beginning of a file, that identify the type of file it is. For example, Windows executable files (.exe and .dll) always begin with the ASCII characters MZ or 0x4D5A. (These are the initials of Mark Zbikowski, a Microsoft engineer.) PDF files begin with 0x255044462d (%PDF-), and Linux binaries start with 0x7F454C46 (.ELF) for the Executable and Linking Format (ELF). Knowing the magic number or file signature of a file type can help with identifying a real certificate.

The magic number for a DER-encoded certificate is 0x3082. Every legitimate certificate will start with this in the DER-encoded format. However, the certificates that we’re looking at here are PEM-encoded, meaning that they use Base64 encoding after the -----BEGIN CERTIFICATE----- tag. The Base64 encoded version of 0x3082 is MII (add a = to the end as padding to test). Now, take a look at the malicious certificate, which starts with UEs. That alone is enough to show that this isn’t a real certificate.

Decoding a fake certificate

Now that we know we have a fake certificate, the next logical step is finding out what’s inside. To decode a certificate, we (and hackers trying to remain inconspicuous) can use the certutil command built into Windows. After downloading the malicious certificate to malicious.cer, use the following command:

certutil -decode malicious.cer dumped

The next step is finding out the type of file that was hidden in the certificate. The dumped file is shown in a hex editor below.

Returning to magic numbers, we find that PK is the signature for a ZIP archive. After extracting the archive, we see the file structure of an Excel document (which is stored as a ZIP archive). Examining the contents of the file reveals that it is a macro-enabled Excel document (.xlsm).

The macro code contained in the document is shown above. This macro is designed to run a program called C:shell.exe in the Windows command prompt. This isn’t a program installed by default on Windows, indicating that this certificate is intended as a second-stage attack after an initial infection.

Applications of fake certificates

The certificate used in this attack was designed to work with a previously-installed downloader to expand an attacker’s foothold on a compromised system. The use of the certificate was designed to slip a second-stage executable past network scanners, but this isn’t the only potential application of this attack vector.

Network communications are a two-way street, with network defenders trying to prevent malicious traffic from coming in and sensitive company data from going out. This technique for concealing data within malicious certificates can be applied to both use cases. Downloading and extracting certificates is not a malicious action, meaning that a downloader configured to use this technique is more likely to slip past a security scanner. Organizations commonly ignore digital certificates (since they’re designed to provide public information), so encoding sensitive data within digital certificates and sending them out is a promising method for data exfiltration. The power of this method lies in its secrecy.

As demonstrated here, however, it’s fairly easy to differentiate a fake digital certificate from a real one. Updating scanners to pay more attention to inbound and outbound digital signatures will protect an organization’s network from attacks using this new technique.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

Sources

Howard Poston
Howard Poston

Howard Poston is a copywriter, author, and course developer with experience in cybersecurity and blockchain security, cryptography, and malware analysis. He has an MS in Cyber Operations, a decade of experience in cybersecurity, and over five years of experience as a freelance consultant providing training and content creation for cyber and blockchain security. He is also the creator of over a dozen cybersecurity courses, has authored two books, and has spoken at numerous cybersecurity conferences. He can be reached by email at howard@howardposton.com or via his website at https://www.howardposton.com.