Due to data leaks related to the Nvidia hack by a group calling itself Lapsus$,
Stolen code-signing certificates are being used to gain remote access to unsuspecting machines and otherwise deploy malicious software. According to technical assistance, certificates are used to “develop new types of malware,” and BleepingComputer lists Cobalt Strike beacons, Mimikatz, backdoors, and Remote Access Trojans (RATs) as just a few of the malware deployed with this tool.
In case you don’t know, a code signing certificate is. What do developers use to sign executables and drivers before publishing them? This is a safer way for Windows and potential users to verify ownership of the original file. Microsoft requires kernel-mode drivers to be code-signed, or the OS will refuse to open the file. If some hooligan signs malware with genuine code from Nvidia. Your computer may not be able to catch the malware before it is unpacked and cause damage to your system.
Nvidia’s recent digital siege resulted in Lapsus$ demanding.
The company released a hash rate bypass, but that demand was not met. The fallout has not only leaked code-signing certificates but also 71,000 employee credentials. Nvidia DLSS source code, and possibly even some next-gen GeForce GPU names. As part of #NvidiaLeaks, two code signing certificates were compromised. Although they have expired, Windows still allows you to use them to sign drivers. For more on certificate leaks, see my BH/DC talk: pic.twitter.com/gCrol0BxHdMarch 3, 2022
To learn more
Of course, it didn’t take long for the certificate code leak to join the arsenal of hackers lurking on the web, who jumped at the opportunity to hide behind genuine Nvidia codes to carry out their malicious plans. Now, these codes are used to sign certificates for Windows drivers along with Quasar RAT, as VirusTotal shows currently “46 security vendors and one sandbox have flagged this file as malicious.”
BleepingComputer, thanks to interesting reports from security researchers Kevin Beaumont as well as Will Dormannmarks the following serial numbers as ones to look out for:
Both codes are actually expired Nvidia signatures, but your OS will still miss them. Just something to watch out for if you’re thinking about uploading a file that you think might have been tampered with.There are ways to tell Windows not to let those signed codes through, but it may be inconvenient to implement if you do not have experience in IT. They can also be a problem when you actually install a legitimately signed Nvidia driver.