Sectigo says that most of certificates reported by Chronicle analysis were already revoked

According to Sectigo, most of the certificates used to sign the malware submitted to VirusTotal and issued by the company were expired and were already revoked.

This week experts at Chronicle published a study on signed malware registered on VirusTotal that states that most of the digital certificates used to sign malware samples found on VirusTotal in 2018 have been issued by the Certificate Authority (CA) Comodo CA (aka Sectigo).

Chronicle’s security researchers have analyzed submissions May 7, 2018, and May 7, 2019 discovering that out of a total of 3,815 signed malware samples, 1,775 were signed using a digital certificate issued by Comodo RSA Code Signing CA. 

Experts from Sectigo analyzed the Chronicle’s findings and provided their response. According to Sectigo, most of the certificates used to sign the malware submitted to VirusTotal and issued by the company were expired and were already revoked. The CA also states that many of the certificates analyzed by Chronicle were duplicates, only 127 of them were active and now revoked by the company. Duplicates are certificates that match others that already have been logged in a different category. Duplicates can cause multiple uses of the same certificate or multiple reports of the same malware application.

Below the data provided by Sectigo:

• Duplicate: 1660
• Expired: 70
• Previously revoked: 126
• In process: 25
• Active (now revoked): 127

“Unfortunately, recent press reports suggest the incorrect conclusion that Chronicle reported nearly 2000 such certificates for Comodo / Sectigo. Since this story ran, we have investigated all of the certificates attributed to Comodo / Sectigo. More than 90% of these were expired, previously revoked, or duplicate reports.” reads the post published by Sectigo.

The CA confirmed that is still investigating 25 certificates that labeled with “in process” status.

“These reported certificates did not match our records of Code Signing certificates from Comodo / Sectigo during our investigation. We are continuing to investigate these certificates.” reads the CA.

Sectigo encourages Chronicle or other researchers to report any misuse of its public certificates at:

• ssl_abuse@sectigo.com
• signedmalwarealert@sectigo.com.

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – digital certificates, CA)

[adrotate banner=”5″]

[adrotate banner=”13″]