Emsisoft has warned its customers that cybercriminals are using fake code-signing certificates, posing as Emsisoft, to target the company's customers in hopes of circumventing their protection.
Code signing certificates are digital signatures used to sign an application so that users, software, and operating systems can verify that the software has not been modified since it was signed by the publisher. Attackers try to take advantage of this by creating fake certificates that mimic the name of a well-known company.
In a new security bulletin, Emsisoft warned that one of its customers was targeted by hackers who used an executable signed with a fake Emsisoft certificate. The firm believes that this was done to deceive the victim - so the user will think that any detection is a false positive, and allow the program to work.
According to Emsisoft, the hacker likely gained initial access to the compromised device by brute-forcing the RDP protocol or using stolen credentials from an employee of the target organization.
After gaining access to the endpoint, the attackers tried to install MeshCentral, an open source remote access application that is generally trusted by security products because it is used for legitimate purposes. However, the MeshCentral executable was signed with a fake Emsisoft certificate.
When the Emsisoft security product scanned the file, it marked it as "Unknown" due to an invalid signature and quarantined the file.
If an employee interpreted this warning as a false positive due to the digital signature name, he could allow the application to run, which would allow the cybercriminal to gain full access to the device. This remote access can then be used to disable protections, spread across the network, steal sensitive data, and deploy ransomware.
Emsisoft cautions that executable files should only be trusted after confirming that the file is not malicious and that security vendors should be contacted before allowing an invalidly signed executable to run. The company also suggests that system administrators set passwords for installed Emsisoft programs to prevent them from being tampered with or disabled if hacked.