Wednesday 2 October 11:50 - 12:20, Red room
Yuta Sawabe, Shogo Hayashi & Rintaro Koike (NTT Security Holdings)
These days, regardless of being related to APT or crime, many malware and malicious files are code-signed. This is largely due to the existence of code-signing certificate sellers that play a role in the ecosystem. Instead of preparing code-signing certificates themselves, attackers can buy them.
We took a serious look at the interesting behaviour of code-signing certificate sellers. Prior to selling the certificates to their customers, they had signed to benign software using the certificates and posted the signed software to online malware scanning services to test whether the certificates were judged as expected (not only valid, but also benign). Such inspections occurred long before the certificates were sold and abused by attackers.
We collected the files posted by these sellers and harvested code-signing certificate information that could be abused in the future. This was a kind of experiment to predict the future. As a result, we succeeded in predicting future abuse cases. This could be an effective approach against code-signed malware and malicious files.
In this presentation we will first introduce the code-signing certificate sellers and their ecosystem. Then, we will illustrate their interesting inspections with a detailed timeline. Finally, we will present the approach we have developed and evaluate its effectiveness.
This presentation will allow the audience to understand the ecosystem related to the code-signing market for threat actors. It will also help the audience to understand certificates sellers' interesting approaches and the overall picture. This knowledge will allow SOCs, IRs, CSIRTs, and other personnel to take proactive measures against code-signed malware and malicious files.
![]() |
Yuta Sawabe Yuta Sawabe is a SOC analyst at NTT Security Holdings, where he is primarily involved in log analysis and malware analysis. He previously worked on malicious domain names. His is an Information Processing Society of Japan JIP Special Paper Winner (2019). He has spoken at Botconf, HITCON, JSAC and CODE BLUE in the past.
|
![]() |
Shogo Hayashi Shogo Hayashi is a security analyst at NTT Security Holdings. His main specialization is responding to EDR detections, creating IoCs, analysing malware and researching cyber threats. He is a cofounder of SOCYETI, an organization for sharing threat information and analysis techniques with SOC analysts in Japan. He has spoken at JSAC, VB, SAS, CODE BLUE, and has written several white papers and blogs.
|
![]() |
Rintaro Koike Rintaro Koike is a security analyst at NTT Security Holdings. He is engaged in threat research and malware analysis. In addition, he is the founder of "nao_sec" and is in charge of threat research. He focuses on APT attacks targeting East Asia and web-based attacks. He has been a speaker at VB, SAS, Botconf, AVAR and others. |
Back to VB2024 conference page