Malware On the Prowl Using Stolen NVIDIA Code Signing Certificates

[btarunr]

Stolen code-signing certificates of NVIDIA scored from the recent cyber-attack, are being used to develop a new breed of malware that can appear "trustworthy" to Windows PCs. The code-signing certificates leaked to the web as part of the hacker group expired in 2014 and 2018, but Windows PCs are still able to see them as being used for signing drivers. One such malware that hit anti-virus provider VirusTotal, is a variant of the Quasar RAT (remote-access trojan), signed with NVIDIA certificates. A RAT works in the background, granting remote-access to your machine to an attacking group with read-write access, who can then do anything from stealing data or holding it to ransom by encrypting it.



View at TechPowerUp Main Site | Source

 

[stimpy88]

Where is your arrogance now, nGreedia?

 

[chrcoluk]

Those certs are expired so wont be trusted, what am i missing here?

 

[ncrs]

Those certs are expired so wont be trusted, what am i missing here?

Unfortunately it's not as clear cut under Windows. An application signed by a trusted Certificate Authority, even if the CA is expired, is still trusted.
While drivers are usually WHQL-signed by Microsoft (using the Microsoft Windows Hardware Compatibility Publisher CA) there are exceptions that still get installed even if the CA certificate is expired.
There are mechanisms to revoke a CA certificate, but it's going to be a messy affair - every piece of software signed by that CA will become untrusted.

 

[RH92]

Where is your arrogance now, nGreedia?

How is your comment even remotely relevant to the article .........

 

[R-T-B]

Those certs are expired so wont be trusted, what am i missing here?

They will for drivers. Thank the weird code-signing world MS-created.

Unfortunately it's not as clear cut under Windows. An application signed by a trusted Certificate Authority, even if the CA is expired, is still trusted.
While drivers are usually WHQL-signed by Microsoft (using the Microsoft Windows Hardware Compatibility Publisher CA) there are exceptions that still get installed even if the CA certificate is expired.
There are mechanisms to revoke a CA certificate, but it's going to be a messy affair - every piece of software signed by that CA will become untrusted.

This is the more detailed version of the answer.

 

[stimpy88]

How is your comment even remotely relevant to the article .........

Really? How did you even figure out how to post in the first place... "remotely relevant" OMG

 

[R-T-B]

Really? How did you even figure out how to post in the first place... "remotely relevant" OMG

I mean, a lot of companies get hacked these days. I don't think paying up is the answer.

 

[chrcoluk]

Unfortunately it's not as clear cut under Windows. An application signed by a trusted Certificate Authority, even if the CA is expired, is still trusted.
While drivers are usually WHQL-signed by Microsoft (using the Microsoft Windows Hardware Compatibility Publisher CA) there are exceptions that still get installed even if the CA certificate is expired.
There are mechanisms to revoke a CA certificate, but it's going to be a messy affair - every piece of software signed by that CA will become untrusted.

Hmm, not on applocker/srp, been a pain to update as more certs shortlived now, whatever part of windows allows expired certs needs fixing though.

 

[bug]

Unfortunately it's not as clear cut under Windows. An application signed by a trusted Certificate Authority, even if the CA is expired, is still trusted.
While drivers are usually WHQL-signed by Microsoft (using the Microsoft Windows Hardware Compatibility Publisher CA) there are exceptions that still get installed even if the CA certificate is expired.
There are mechanisms to revoke a CA certificate, but it's going to be a messy affair - every piece of software signed by that CA will become untrusted.

That doesn't stop Microsoft from pushing an update and blacklisting those certificates explicitly.
Hopefully users savvy enough to block updates are also savvy enough to spot an expired certificate.

 

[ThanatosPy]

Back to stone age to be safe.

 

[AusWolf]

How dangerous is it actually? I mean, it's called Quasar.exe that you'd have to obtain from somewhere, and there's also UAC before it's executed.

 

[ncrs]

Hmm, not on applocker/srp, been a pain to update as more certs shortlived now, whatever part of windows allows expired certs needs fixing though.

It is a hard problem for Windows. If you let signatures by expired CAs be untrusted, then a lot of old software will stop working/throw scary errors on startup. Windows' strength is backwards compatibility so they can't really do that.

That doesn't stop Microsoft from pushing an update and blacklisting those certificates explicitly.
Hopefully users savvy enough to block updates are also savvy enough to spot an expired certificate.

Of course, that's why I wrote that there are mechanisms to revoke certificates
The problem is that there's a lot of legitimate software made by NVidia which is signed with those leaked CAs. If Microsoft/NV/VeriSign revoke the certs then those executable will cause scary UAC errors. That's why a compromised CA is always a huge hurdle to fix.

How dangerous is it actually? I mean, it's called Quasar.exe that you'd have to obtain from somewhere, and there's also UAC before it's executed.

It can be called whatever really, let's say NvBroadcast.Container.exe or any other legitimate-sounding name.
Unfortunately that UAC will tell you it's valid software from NVidia, at least until the CA is revoked and the changes propagated to Windows trust store.

 

[AusWolf]

It can be called whatever really, let's say NvBroadcast.Container.exe or any other legitimate-sounding name.
Unfortunately that UAC will tell you it's valid software from NVidia, at least until the CA is revoked and the changes propagated to Windows trust store.

That's OK, but why would you give permission for any "legitimate software from nvidia" to be installed unless you yourself initiated a driver update?

 

[ncrs]

That's OK, but why would you give permission for any "legitimate software from nvidia" to be installed unless you yourself initiated a driver update?

You overestimate the average user's security practices
Most don't read those dialogues carefully unless they are errors, and some just click through it as fast as possible.

Common threats will be detected beforehand by either Windows Defender or other AV products, but a leaked trusted CA like that gives a lot of opportunities for bad actors. Tailored exploits won't be detected and will seem like legitimate software from NVidia. It's a bad situation for everybody, especially NVidia.

 

[AusWolf]

You overestimate the average user's security practices
Most don't read those dialogues carefully unless they are errors, and some just click through it as fast as possible.

Common threats will be detected beforehand by either Windows Defender or other AV products, but a leaked trusted CA like that gives a lot of opportunities for bad actors. Tailored exploits won't be detected and will seem like legitimate software from NVidia. It's a bad situation for everybody, especially NVidia.

My point stands. It doesn't matter where the software is from - if it wasn't you that initiated the installation process, you click "No" in UAC. Simple as that. If that protects you from this malware, happy days.

If someone clicks "Yes" every single time UAC pops up without reading it, it's their own fault. UAC was created exactly for situations like this. All I can do is spread the word (which I do anyway).

It's a different kind of situation when you downloaded something, and UAC says it's from nvidia. But that's suspicious enough as well, I guess.

 

[pavle]

That's just nasty; instead of gpu specs we get malware with their certificates, ahh the Le Chatelier principle (of least resistance/effort) and adherence to it...

 

[bug]

Of course, that's why I wrote that there are mechanisms to revoke certificates
The problem is that there's a lot of legitimate software made by NVidia which is signed with those leaked CAs. If Microsoft/NV/VeriSign revoke the certs then those executable will cause scary UAC errors. That's why a compromised CA is always a huge hurdle to fix.

I fail to see the problem. Certificates have an expiration date because you're not supposed to use them after that date. If you install something signed by Nvidia today, it must be signed using current certificates.

 

[R-T-B]

Hmm, not on applocker/srp, been a pain to update as more certs shortlived now, whatever part of windows allows expired certs needs fixing though.

The problem is it's grandfathered in from long ago... "fix" it and suddenly any driver pre 2016 or so ceases to function.

 

[ncrs]

I fail to see the problem. Certificates have an expiration date because you're not supposed to use them after that date. If you install something signed by Nvidia today, it must be signed using current certificates.

That's not true. Take for example the GeForce 342.01 driver from 2016 which is signed with a Code Signing certificate valid from 2015 to 2018. Windows validates this signature and UAC shows the .exe to be trusted, from NVidia.
Edit: Scratch that, I misunderstood you. You're correct, the timestamping countersignature prevents using those leaked CAs for signing new software, under normal circumstances.

 

[Cutechri]

I'm not at all surprised this happened.

 

[mouacyk]

all useless, where're ma custom bios

 

[chrcoluk]

It is a hard problem for Windows. If you let signatures by expired CAs be untrusted, then a lot of old software will stop working/throw scary errors on startup. Windows' strength is backwards compatibility so they can't really do that.


Of course, that's why I wrote that there are mechanisms to revoke certificates
The problem is that there's a lot of legitimate software made by NVidia which is signed with those leaked CAs. If Microsoft/NV/VeriSign revoke the certs then those executable will cause scary UAC errors. That's why a compromised CA is always a huge hurdle to fix.


It can be called whatever really, let's say NvBroadcast.Container.exe or any other legitimate-sounding name.
Unfortunately that UAC will tell you it's valid software from NVidia, at least until the CA is revoked and the changes propagated to Windows trust store.

On old software I had to use other ways of whitelisting on SRP such as hash or path.

So it seems windows itself is inconsistent as App locker and SRP do not trust expired certs. But as you said other parts of the OS do.

But those two features are aimed at enterprise use so logical they are strict.

I guess its going to be revocation and hoping people keep their cert stores updated.

 

[ncrs]

But those two features are aimed at enterprise use so logical they are strict.

Yeah, I was writing about normal user's experience.

I guess its going to be revocation and hoping people keep their cert stores updated.

There's no need to do anything, Windows keeps them updated and Explorer makes internet revocation checks when details of a signature are displayed (via Properties, Digital Signatures, Details).

 

[TheoneandonlyMrK]

Oh dear, kin rat's nest this ,I will hopefully not be affected but a lot of us do use some random ass software that likes to install a lot of random ass exes , looking at you Asus ,icue, nicehash.