EMSISIFT warned its customers that cybercriminals are using fake certificates to sign the code, submit to EMSISOFT to aim at the company’s customers in the hope of getting around their defense.
Code signatures are digital signatures used to sign the application so that users, software and operating systems can make sure that the software is not changed since the publisher is signed. Attackers are trying to use this by creating fake certificates, the name of which imitates the name of the famous company.
in new security equipment EMSISOFT warned that one of its customers became the target of hackers who used the executable file signed by the fake certificate of Emsisoft. The company believes that this was done to deceive the victim – so the user will think that any detection is a false operation and will allow the program to work.
According to EMSISIFT, the hacker probably gained initial access to the compromised device using RDP protocol brackets or using the stolen accounting data of the Employee of the Target Organization.
Having gained access to the end point, the attackers tried to install Meshcentral, an application of remote access with open source, which is usually trusted with security products, since it is used for legal purposes. However, the executable Meshcentral file was signed by the fake certificate of EMSISIFT.
executable file Meshcentral, signed by a fake certificate of EMSISIFT
When the EMSISOFT security product scanned the file, it marked it as an “unknown” because of an unacceptable signature and placed a quarantine file.
Fake signature is found by the EMSISISOFT tool
If the employee took this warning as a false trigger due to the name of the digital signature, he could allow the launch of the application, which would allow cybercriminals to get full access to the device. Then this remote access can be used to turn off the protective equipment, distribution over the network, the theft of confidential data and deployment of boostrhe programs.
EMSISIFT warns that executable files should be trusted only after confirming that the file is not harmful, and contact suppliers of protection tools before allowing the launch of the executable file with an invalid signature. The company also suggests that system administrators install passwords on the installed EMSISOFT programs to prevent their fake or disabling in case of hacking.