A hacker is using fake code-signing certificates impersonating cybersecurity firm Emsisoft to target customers using its security products, hoping to bypass their defenses.
Code signing certificates are digital signatures used to sign an application so that users, software, and operating systems can verify that the software has not been tampered with since the publisher signed it.
Threat actors attempt to take advantage of this by creating fake certificates whose name appears to be associated with a trustworthy entity but, in reality, are not valid certificates.
In a new security advisory, Emsisoft warned that one of its customers was targeted by hackers using an executable signed by a spoofed Emsisoft certificate. The company believes this was done to trick the customer into thinking any detections were a false positive and to allow the program to run.
“We recently observed an incident in which a fake code-signing certificate supposedly belonging to Emsisoft was used in an attempt to obfuscate a targeted attack against one of our customers,” said Emsisoft in the security advisory.
“The organization in question used our products and the attacker’s aim was to get that organization to allow an application the threat actor installed and intended to use by making its detection appear to be a false-positive.”
While the attack failed, and Emsisoft’s security software blocked the file due to the invalid signature, the company is warning its customers to stay vigilant against similar attacks.
Spoofing Emsisoft for remote access
Emsisoft says the threat actor likely gained initial access to the compromised device via brute-forcing RDP or using stolen credentials belonging to an employee of the targeted organization.
After accessing the endpoint, the attackers attempted to install MeshCentral, an open-source remote access application typically trusted by security products because it is employed for legitimate purposes.
However, this MeshCentral executable was signed with a fake Emsisoft certificate claiming to be from “Emsisoft Server Trusted Network CA.”
While Emsisoft did not share details on the executable, BleepingComputer discovered it was named ‘smsse.exe’ [VirusTotal], as shown below.
When Emsisoft’s security product scanned the file, it marked it as “Unknown” due to the invalid signature and quarantined the file.
However, if an employee was to treat this warning as a false positive due to the digital signature name, they might have allowed the application to run, enabling the attacker to gain full access to the device.
This remote access could then be used to disable protections, spread laterally within the network, steal sensitive data, and potentially deploy ransomware.
Emsisoft warns that executables should only be trusted after confirming a file is not malicious and to contact security vendors before allowing an executable to run with an invalid signature.
“This incident demonstrates the need for organizations to have multiple layers of protection so that, should one layer fail to block an attack, another layer will,” explains Emsisoft.
The company also suggests that system administrators set a password on their Emsisoft product to prevent it from being tampered with or disabled in case of a breach, such as this attempted one.