Tweet

While conducting continuous threat-monitoring activities, Trend Micro threat researchers identified multiple suspicious files that included a strange digital signature. This signature immediately caught our attention, as it seemed to be signed by legitimate antivirus company Kaspersky.

While checking the certificate, we noticed that the hash value applied to the suspect file was invalid. This is because hash values are specific to the original file to which they are applied whereas this particular signature has been stolen. Also, the signature had already expired. (The signature used in this case appears to be copied, ironically, from Kaspersky’s “ZbotKiller” cleaning tool.)

Upon further investigation, we confirmed that the suspicious files are indeed malicious—ZeuS (ZBOT) variants detected as TSPY_ZBOT.BWP, TROJ_ZBOT.BYM, and TROJ_ZBOT.KJT.

This isn’t the first time cybercriminals stole digital signatures. The first STUXNET malware was signed with a certificate from Realtek Semiconductors Corp., a later variant with JMicron Technology—although in both these cases the criminals had managed to gain access to the company’s private signing key.

This fake Kaspersky certificate illustrates what seems to be a growing trend among cybercriminals and serves as a good reminder to users to always check the details of signatures and to ensure that they are valid.

Certificates, unfortunately, can be copied by any cybercriminal with intent from any company—the antivirus company mentioned in this instance could not have prevented this incident from taking place—and it is likely that we will continue to see more such incidents in the future.

Trend Micro has informed Kaspersky of this incident.