• Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

Malware On the Prowl Using Stolen NVIDIA Code Signing Certificates

btarunr

Editor & Senior Moderator
Staff member
Joined
Oct 9, 2007
Messages
47,230 (7.55/day)
Location
Hyderabad, India
System Name RBMK-1000
Processor AMD Ryzen 7 5700G
Motherboard ASUS ROG Strix B450-E Gaming
Cooling DeepCool Gammax L240 V2
Memory 2x 8GB G.Skill Sniper X
Video Card(s) Palit GeForce RTX 2080 SUPER GameRock
Storage Western Digital Black NVMe 512GB
Display(s) BenQ 1440p 60 Hz 27-inch
Case Corsair Carbide 100R
Audio Device(s) ASUS SupremeFX S1220A
Power Supply Cooler Master MWE Gold 650W
Mouse ASUS ROG Strix Impact
Keyboard Gamdias Hermes E2
Software Windows 11 Pro
Stolen code-signing certificates of NVIDIA scored from the recent cyber-attack, are being used to develop a new breed of malware that can appear "trustworthy" to Windows PCs. The code-signing certificates leaked to the web as part of the hacker group expired in 2014 and 2018, but Windows PCs are still able to see them as being used for signing drivers. One such malware that hit anti-virus provider VirusTotal, is a variant of the Quasar RAT (remote-access trojan), signed with NVIDIA certificates. A RAT works in the background, granting remote-access to your machine to an attacking group with read-write access, who can then do anything from stealing data or holding it to ransom by encrypting it.



View at TechPowerUp Main Site | Source
 
Joined
Apr 19, 2018
Messages
1,227 (0.51/day)
Processor AMD Ryzen 9 5950X
Motherboard Asus ROG Crosshair VIII Hero WiFi
Cooling Arctic Liquid Freezer II 420
Memory 32Gb G-Skill Trident Z Neo @3806MHz C14
Video Card(s) MSI GeForce RTX2070
Storage Seagate FireCuda 530 1TB
Display(s) Samsung G9 49" Curved Ultrawide
Case Cooler Master Cosmos
Audio Device(s) O2 USB Headphone AMP
Power Supply Corsair HX850i
Mouse Logitech G502
Keyboard Cherry MX
Software Windows 11
Where is your arrogance now, nGreedia?
 
Joined
Feb 1, 2019
Messages
3,578 (1.69/day)
Location
UK, Midlands
System Name Main PC
Processor 13700k
Motherboard Asrock Z690 Steel Legend D4 - Bios 13.02
Cooling Noctua NH-D15S
Memory 32 Gig 3200CL14
Video Card(s) 4080 RTX SUPER FE 16G
Storage 1TB 980 PRO, 2TB SN850X, 2TB DC P4600, 1TB 860 EVO, 2x 3TB WD Red, 2x 4TB WD Red
Display(s) LG 27GL850
Case Fractal Define R4
Audio Device(s) Soundblaster AE-9
Power Supply Antec HCG 750 Gold
Software Windows 10 21H2 LTSC
Those certs are expired so wont be trusted, what am i missing here?
 
Joined
Jun 29, 2018
Messages
537 (0.23/day)
Those certs are expired so wont be trusted, what am i missing here?
Unfortunately it's not as clear cut under Windows. An application signed by a trusted Certificate Authority, even if the CA is expired, is still trusted.
While drivers are usually WHQL-signed by Microsoft (using the Microsoft Windows Hardware Compatibility Publisher CA) there are exceptions that still get installed even if the CA certificate is expired.
There are mechanisms to revoke a CA certificate, but it's going to be a messy affair - every piece of software signed by that CA will become untrusted.
 
Joined
Oct 4, 2017
Messages
706 (0.27/day)
Location
France
Processor RYZEN 7 5800X3D
Motherboard Aorus B-550I Pro AX
Cooling HEATKILLER IV PRO , EKWB Vector FTW3 3080/3090 , Barrow res + Xylem DDC 4.2, SE 240 + Dabel 20b 240
Memory Viper Steel 4000 PVS416G400C6K
Video Card(s) EVGA 3080Ti FTW3
Storage XPG SX8200 Pro 512 GB NVMe + Samsung 980 1TB
Display(s) Dell S2721DGF
Case NR 200
Power Supply CORSAIR SF750
Mouse Logitech G PRO
Keyboard Meletrix Zoom 75 GT Silver
Software Windows 11 22H2
Where is your arrogance now, nGreedia?



How is your comment even remotely relevant to the article ......... :banghead:
 
Joined
Aug 20, 2007
Messages
21,450 (3.40/day)
System Name Pioneer
Processor Ryzen R9 9950X
Motherboard GIGABYTE Aorus Elite X670 AX
Cooling Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory 64GB (4x 16GB) G.Skill Flare X5 @ DDR5-6000 CL30
Video Card(s) XFX RX 7900 XTX Speedster Merc 310
Storage Intel 905p Optane 960GB boot, +2x Crucial P5 Plus 2TB PCIe 4.0 NVMe SSDs
Display(s) 55" LG 55" B9 OLED 4K Display
Case Thermaltake Core X31
Audio Device(s) TOSLINK->Schiit Modi MB->Asgard 2 DAC Amp->AKG Pro K712 Headphones or HDMI->B9 OLED
Power Supply FSP Hydro Ti Pro 850W
Mouse Logitech G305 Lightspeed Wireless
Keyboard WASD Code v3 with Cherry Green keyswitches + PBT DS keycaps
Software Gentoo Linux x64 / Windows 11 Enterprise IoT 2024
Those certs are expired so wont be trusted, what am i missing here?
They will for drivers. Thank the weird code-signing world MS-created.

Unfortunately it's not as clear cut under Windows. An application signed by a trusted Certificate Authority, even if the CA is expired, is still trusted.
While drivers are usually WHQL-signed by Microsoft (using the Microsoft Windows Hardware Compatibility Publisher CA) there are exceptions that still get installed even if the CA certificate is expired.
There are mechanisms to revoke a CA certificate, but it's going to be a messy affair - every piece of software signed by that CA will become untrusted.
This is the more detailed version of the answer.
 
Joined
Apr 19, 2018
Messages
1,227 (0.51/day)
Processor AMD Ryzen 9 5950X
Motherboard Asus ROG Crosshair VIII Hero WiFi
Cooling Arctic Liquid Freezer II 420
Memory 32Gb G-Skill Trident Z Neo @3806MHz C14
Video Card(s) MSI GeForce RTX2070
Storage Seagate FireCuda 530 1TB
Display(s) Samsung G9 49" Curved Ultrawide
Case Cooler Master Cosmos
Audio Device(s) O2 USB Headphone AMP
Power Supply Corsair HX850i
Mouse Logitech G502
Keyboard Cherry MX
Software Windows 11


How is your comment even remotely relevant to the article ......... :banghead:
Really? How did you even figure out how to post in the first place... "remotely relevant" OMG
 
Joined
Aug 20, 2007
Messages
21,450 (3.40/day)
System Name Pioneer
Processor Ryzen R9 9950X
Motherboard GIGABYTE Aorus Elite X670 AX
Cooling Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory 64GB (4x 16GB) G.Skill Flare X5 @ DDR5-6000 CL30
Video Card(s) XFX RX 7900 XTX Speedster Merc 310
Storage Intel 905p Optane 960GB boot, +2x Crucial P5 Plus 2TB PCIe 4.0 NVMe SSDs
Display(s) 55" LG 55" B9 OLED 4K Display
Case Thermaltake Core X31
Audio Device(s) TOSLINK->Schiit Modi MB->Asgard 2 DAC Amp->AKG Pro K712 Headphones or HDMI->B9 OLED
Power Supply FSP Hydro Ti Pro 850W
Mouse Logitech G305 Lightspeed Wireless
Keyboard WASD Code v3 with Cherry Green keyswitches + PBT DS keycaps
Software Gentoo Linux x64 / Windows 11 Enterprise IoT 2024
Really? How did you even figure out how to post in the first place... "remotely relevant" OMG
I mean, a lot of companies get hacked these days. I don't think paying up is the answer.
 
Joined
Feb 1, 2019
Messages
3,578 (1.69/day)
Location
UK, Midlands
System Name Main PC
Processor 13700k
Motherboard Asrock Z690 Steel Legend D4 - Bios 13.02
Cooling Noctua NH-D15S
Memory 32 Gig 3200CL14
Video Card(s) 4080 RTX SUPER FE 16G
Storage 1TB 980 PRO, 2TB SN850X, 2TB DC P4600, 1TB 860 EVO, 2x 3TB WD Red, 2x 4TB WD Red
Display(s) LG 27GL850
Case Fractal Define R4
Audio Device(s) Soundblaster AE-9
Power Supply Antec HCG 750 Gold
Software Windows 10 21H2 LTSC
Unfortunately it's not as clear cut under Windows. An application signed by a trusted Certificate Authority, even if the CA is expired, is still trusted.
While drivers are usually WHQL-signed by Microsoft (using the Microsoft Windows Hardware Compatibility Publisher CA) there are exceptions that still get installed even if the CA certificate is expired.
There are mechanisms to revoke a CA certificate, but it's going to be a messy affair - every piece of software signed by that CA will become untrusted.
Hmm, not on applocker/srp, been a pain to update as more certs shortlived now, whatever part of windows allows expired certs needs fixing though.
 

bug

Joined
May 22, 2015
Messages
13,755 (3.96/day)
Processor Intel i5-12600k
Motherboard Asus H670 TUF
Cooling Arctic Freezer 34
Memory 2x16GB DDR4 3600 G.Skill Ripjaws V
Video Card(s) EVGA GTX 1060 SC
Storage 500GB Samsung 970 EVO, 500GB Samsung 850 EVO, 1TB Crucial MX300 and 2TB Crucial MX500
Display(s) Dell U3219Q + HP ZR24w
Case Raijintek Thetis
Audio Device(s) Audioquest Dragonfly Red :D
Power Supply Seasonic 620W M12
Mouse Logitech G502 Proteus Core
Keyboard G.Skill KM780R
Software Arch Linux + Win10
Unfortunately it's not as clear cut under Windows. An application signed by a trusted Certificate Authority, even if the CA is expired, is still trusted.
While drivers are usually WHQL-signed by Microsoft (using the Microsoft Windows Hardware Compatibility Publisher CA) there are exceptions that still get installed even if the CA certificate is expired.
There are mechanisms to revoke a CA certificate, but it's going to be a messy affair - every piece of software signed by that CA will become untrusted.
That doesn't stop Microsoft from pushing an update and blacklisting those certificates explicitly.
Hopefully users savvy enough to block updates are also savvy enough to spot an expired certificate.
 
Joined
Jan 14, 2019
Messages
12,337 (5.77/day)
Location
Midlands, UK
System Name Nebulon B
Processor AMD Ryzen 7 7800X3D
Motherboard MSi PRO B650M-A WiFi
Cooling be quiet! Dark Rock 4
Memory 2x 24 GB Corsair Vengeance DDR5-4800
Video Card(s) AMD Radeon RX 6750 XT 12 GB
Storage 2 TB Corsair MP600 GS, 2 TB Corsair MP600 R2
Display(s) Dell S3422DWG, 7" Waveshare touchscreen
Case Kolink Citadel Mesh black
Audio Device(s) Logitech Z333 2.1 speakers, AKG Y50 headphones
Power Supply Seasonic Prime GX-750
Mouse Logitech MX Master 2S
Keyboard Logitech G413 SE
Software Bazzite (Fedora Linux) KDE
How dangerous is it actually? I mean, it's called Quasar.exe that you'd have to obtain from somewhere, and there's also UAC before it's executed.
 
Joined
Jun 29, 2018
Messages
537 (0.23/day)
Hmm, not on applocker/srp, been a pain to update as more certs shortlived now, whatever part of windows allows expired certs needs fixing though.
It is a hard problem for Windows. If you let signatures by expired CAs be untrusted, then a lot of old software will stop working/throw scary errors on startup. Windows' strength is backwards compatibility so they can't really do that.

That doesn't stop Microsoft from pushing an update and blacklisting those certificates explicitly.
Hopefully users savvy enough to block updates are also savvy enough to spot an expired certificate.
Of course, that's why I wrote that there are mechanisms to revoke certificates :)
The problem is that there's a lot of legitimate software made by NVidia which is signed with those leaked CAs. If Microsoft/NV/VeriSign revoke the certs then those executable will cause scary UAC errors. That's why a compromised CA is always a huge hurdle to fix.

How dangerous is it actually? I mean, it's called Quasar.exe that you'd have to obtain from somewhere, and there's also UAC before it's executed.
It can be called whatever really, let's say NvBroadcast.Container.exe or any other legitimate-sounding name.
Unfortunately that UAC will tell you it's valid software from NVidia, at least until the CA is revoked and the changes propagated to Windows trust store.
 
Joined
Jan 14, 2019
Messages
12,337 (5.77/day)
Location
Midlands, UK
System Name Nebulon B
Processor AMD Ryzen 7 7800X3D
Motherboard MSi PRO B650M-A WiFi
Cooling be quiet! Dark Rock 4
Memory 2x 24 GB Corsair Vengeance DDR5-4800
Video Card(s) AMD Radeon RX 6750 XT 12 GB
Storage 2 TB Corsair MP600 GS, 2 TB Corsair MP600 R2
Display(s) Dell S3422DWG, 7" Waveshare touchscreen
Case Kolink Citadel Mesh black
Audio Device(s) Logitech Z333 2.1 speakers, AKG Y50 headphones
Power Supply Seasonic Prime GX-750
Mouse Logitech MX Master 2S
Keyboard Logitech G413 SE
Software Bazzite (Fedora Linux) KDE
It can be called whatever really, let's say NvBroadcast.Container.exe or any other legitimate-sounding name.
Unfortunately that UAC will tell you it's valid software from NVidia, at least until the CA is revoked and the changes propagated to Windows trust store.
That's OK, but why would you give permission for any "legitimate software from nvidia" to be installed unless you yourself initiated a driver update?
 
Joined
Jun 29, 2018
Messages
537 (0.23/day)
That's OK, but why would you give permission for any "legitimate software from nvidia" to be installed unless you yourself initiated a driver update?
You overestimate the average user's security practices ;)
Most don't read those dialogues carefully unless they are errors, and some just click through it as fast as possible.

Common threats will be detected beforehand by either Windows Defender or other AV products, but a leaked trusted CA like that gives a lot of opportunities for bad actors. Tailored exploits won't be detected and will seem like legitimate software from NVidia. It's a bad situation for everybody, especially NVidia.
 
Joined
Jan 14, 2019
Messages
12,337 (5.77/day)
Location
Midlands, UK
System Name Nebulon B
Processor AMD Ryzen 7 7800X3D
Motherboard MSi PRO B650M-A WiFi
Cooling be quiet! Dark Rock 4
Memory 2x 24 GB Corsair Vengeance DDR5-4800
Video Card(s) AMD Radeon RX 6750 XT 12 GB
Storage 2 TB Corsair MP600 GS, 2 TB Corsair MP600 R2
Display(s) Dell S3422DWG, 7" Waveshare touchscreen
Case Kolink Citadel Mesh black
Audio Device(s) Logitech Z333 2.1 speakers, AKG Y50 headphones
Power Supply Seasonic Prime GX-750
Mouse Logitech MX Master 2S
Keyboard Logitech G413 SE
Software Bazzite (Fedora Linux) KDE
You overestimate the average user's security practices ;)
Most don't read those dialogues carefully unless they are errors, and some just click through it as fast as possible.

Common threats will be detected beforehand by either Windows Defender or other AV products, but a leaked trusted CA like that gives a lot of opportunities for bad actors. Tailored exploits won't be detected and will seem like legitimate software from NVidia. It's a bad situation for everybody, especially NVidia.
My point stands. It doesn't matter where the software is from - if it wasn't you that initiated the installation process, you click "No" in UAC. Simple as that. If that protects you from this malware, happy days. :)

If someone clicks "Yes" every single time UAC pops up without reading it, it's their own fault. UAC was created exactly for situations like this. All I can do is spread the word (which I do anyway).

It's a different kind of situation when you downloaded something, and UAC says it's from nvidia. But that's suspicious enough as well, I guess.
 
Joined
May 20, 2020
Messages
1,370 (0.83/day)
That's just nasty; instead of gpu specs we get malware with their certificates, ahh the Le Chatelier principle (of least resistance/effort) and adherence to it... :rolleyes: :)
 

bug

Joined
May 22, 2015
Messages
13,755 (3.96/day)
Processor Intel i5-12600k
Motherboard Asus H670 TUF
Cooling Arctic Freezer 34
Memory 2x16GB DDR4 3600 G.Skill Ripjaws V
Video Card(s) EVGA GTX 1060 SC
Storage 500GB Samsung 970 EVO, 500GB Samsung 850 EVO, 1TB Crucial MX300 and 2TB Crucial MX500
Display(s) Dell U3219Q + HP ZR24w
Case Raijintek Thetis
Audio Device(s) Audioquest Dragonfly Red :D
Power Supply Seasonic 620W M12
Mouse Logitech G502 Proteus Core
Keyboard G.Skill KM780R
Software Arch Linux + Win10
Of course, that's why I wrote that there are mechanisms to revoke certificates :)
The problem is that there's a lot of legitimate software made by NVidia which is signed with those leaked CAs. If Microsoft/NV/VeriSign revoke the certs then those executable will cause scary UAC errors. That's why a compromised CA is always a huge hurdle to fix.
I fail to see the problem. Certificates have an expiration date because you're not supposed to use them after that date. If you install something signed by Nvidia today, it must be signed using current certificates.
 
Joined
Aug 20, 2007
Messages
21,450 (3.40/day)
System Name Pioneer
Processor Ryzen R9 9950X
Motherboard GIGABYTE Aorus Elite X670 AX
Cooling Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory 64GB (4x 16GB) G.Skill Flare X5 @ DDR5-6000 CL30
Video Card(s) XFX RX 7900 XTX Speedster Merc 310
Storage Intel 905p Optane 960GB boot, +2x Crucial P5 Plus 2TB PCIe 4.0 NVMe SSDs
Display(s) 55" LG 55" B9 OLED 4K Display
Case Thermaltake Core X31
Audio Device(s) TOSLINK->Schiit Modi MB->Asgard 2 DAC Amp->AKG Pro K712 Headphones or HDMI->B9 OLED
Power Supply FSP Hydro Ti Pro 850W
Mouse Logitech G305 Lightspeed Wireless
Keyboard WASD Code v3 with Cherry Green keyswitches + PBT DS keycaps
Software Gentoo Linux x64 / Windows 11 Enterprise IoT 2024
Hmm, not on applocker/srp, been a pain to update as more certs shortlived now, whatever part of windows allows expired certs needs fixing though.
The problem is it's grandfathered in from long ago... "fix" it and suddenly any driver pre 2016 or so ceases to function.
 
Joined
Jun 29, 2018
Messages
537 (0.23/day)
I fail to see the problem. Certificates have an expiration date because you're not supposed to use them after that date. If you install something signed by Nvidia today, it must be signed using current certificates.
That's not true. Take for example the GeForce 342.01 driver from 2016 which is signed with a Code Signing certificate valid from 2015 to 2018. Windows validates this signature and UAC shows the .exe to be trusted, from NVidia.
Edit: Scratch that, I misunderstood you. You're correct, the timestamping countersignature prevents using those leaked CAs for signing new software, under normal circumstances.
 
Last edited:
  • Like
Reactions: bug
Joined
Feb 1, 2013
Messages
1,265 (0.29/day)
System Name Gentoo64 /w Cold Coffee
Processor 9900K 5.2GHz @1.312v
Motherboard MXI APEX
Cooling Raystorm Pro + 1260mm Super Nova
Memory 2x16GB TridentZ 4000-14-14-28-2T @1.6v
Video Card(s) RTX 4090 LiquidX Barrow 3015MHz @1.1v
Storage 660P 1TB, 860 QVO 2TB
Display(s) LG C1 + Predator XB1 QHD
Case Open Benchtable V2
Audio Device(s) SB X-Fi
Power Supply MSI A1000G
Mouse G502
Keyboard G815
Software Gentoo/Windows 10
Benchmark Scores Always only ever very fast
all useless, where're ma custom bios
 
Joined
Feb 1, 2019
Messages
3,578 (1.69/day)
Location
UK, Midlands
System Name Main PC
Processor 13700k
Motherboard Asrock Z690 Steel Legend D4 - Bios 13.02
Cooling Noctua NH-D15S
Memory 32 Gig 3200CL14
Video Card(s) 4080 RTX SUPER FE 16G
Storage 1TB 980 PRO, 2TB SN850X, 2TB DC P4600, 1TB 860 EVO, 2x 3TB WD Red, 2x 4TB WD Red
Display(s) LG 27GL850
Case Fractal Define R4
Audio Device(s) Soundblaster AE-9
Power Supply Antec HCG 750 Gold
Software Windows 10 21H2 LTSC
It is a hard problem for Windows. If you let signatures by expired CAs be untrusted, then a lot of old software will stop working/throw scary errors on startup. Windows' strength is backwards compatibility so they can't really do that.


Of course, that's why I wrote that there are mechanisms to revoke certificates :)
The problem is that there's a lot of legitimate software made by NVidia which is signed with those leaked CAs. If Microsoft/NV/VeriSign revoke the certs then those executable will cause scary UAC errors. That's why a compromised CA is always a huge hurdle to fix.


It can be called whatever really, let's say NvBroadcast.Container.exe or any other legitimate-sounding name.
Unfortunately that UAC will tell you it's valid software from NVidia, at least until the CA is revoked and the changes propagated to Windows trust store.
On old software I had to use other ways of whitelisting on SRP such as hash or path.

So it seems windows itself is inconsistent as App locker and SRP do not trust expired certs. But as you said other parts of the OS do.

But those two features are aimed at enterprise use so logical they are strict.

I guess its going to be revocation and hoping people keep their cert stores updated.
 
Joined
Jun 29, 2018
Messages
537 (0.23/day)
But those two features are aimed at enterprise use so logical they are strict.
Yeah, I was writing about normal user's experience.
I guess its going to be revocation and hoping people keep their cert stores updated.
There's no need to do anything, Windows keeps them updated and Explorer makes internet revocation checks when details of a signature are displayed (via Properties, Digital Signatures, Details).
 
Joined
Mar 10, 2010
Messages
11,878 (2.21/day)
Location
Manchester uk
System Name RyzenGtEvo/ Asus strix scar II
Processor Amd R5 5900X/ Intel 8750H
Motherboard Crosshair hero8 impact/Asus
Cooling 360EK extreme rad+ 360$EK slim all push, cpu ek suprim Gpu full cover all EK
Memory Corsair Vengeance Rgb pro 3600cas14 16Gb in four sticks./16Gb/16GB
Video Card(s) Powercolour RX7900XT Reference/Rtx 2060
Storage Silicon power 2TB nvme/8Tb external/1Tb samsung Evo nvme 2Tb sata ssd/1Tb nvme
Display(s) Samsung UAE28"850R 4k freesync.dell shiter
Case Lianli 011 dynamic/strix scar2
Audio Device(s) Xfi creative 7.1 on board ,Yamaha dts av setup, corsair void pro headset
Power Supply corsair 1200Hxi/Asus stock
Mouse Roccat Kova/ Logitech G wireless
Keyboard Roccat Aimo 120
VR HMD Oculus rift
Software Win 10 Pro
Benchmark Scores 8726 vega 3dmark timespy/ laptop Timespy 6506
Oh dear, kin rat's nest this:p ,I will hopefully not be affected but a lot of us do use some random ass software that likes to install a lot of random ass exes , looking at you Asus ,icue, nicehash.
 
Top