Professional Documents
Culture Documents
[+]
Late in 2018, during our work we came across a malicious executable, signed with a
legitimate COMODO certificate. This certificate was registered to a legitimate UK
based company. Using Iris, which is a part of DomainTools, it was possible to
establish that a person/group/individual is using the same provider to register
domains. These domains could then be linked to UK based companies via
beta.companieshouse.co.uk.
In fact, we were able to correlate 99% of the domain names found using a particular
search in Iris, with a UK based company. In addition it was also in most cases
possible to download a linked malware sample from Virustotal and extract the
certificate which contained the companies trading address and email, showing the
link was a match.
It seems this has been going on for around six months but probably longer. Domain
names are purchased in batches and then used to acquire code signing certificates
from mainly COMODO (Now Sectigo) but other providers have been seen. Shortly after
signed malware will start appearing in Virustotal / Hybrid Analysis and other
online sources.
[+] If you are using Iris, the advanced search here will provide you with all the
results. [+]
This is still ongoing and the latest created domain was 7 days ago.
Below is a list of all linked domains and UK companies (including CSV format with
some hashes and company address) that has been located since the start of the
investigation. There are most likely more, but have been unable to dig through and
discover further due to time constraints. Interesting detail is that all companies
used are very often only a year old, or just over. Currently unsure if these
companies were created for the purpose of purchasing the certificates, or if
already created companies were used.
32cac174cd1d4dcda2e553cd148c2192d06ca7102e3c32cdfb06bb76ed3c632b
49af65995e51d88bbe8b0d4be5a5df2692aa57800f1875a18ecbd3f483c8a094
818f71e5b87b5ecf6c5447104f8d6617d9b9870dc972fd14ff345238b1697a70
859779428d517223ac2dc5cf45fa44739ac0f1f13b795269e6a0816124378657
c98ec9b4e8c04da0fadae6ae5de579fcaed228911055b0f560d40937af8ca92c
fb056cbf2cd4f5f20cb7a483f4b6db2b438e42aa4d15b7d805beb50a3441b17a
032e711177900a7fa539bc0f958da6b8ba1b0cd26dd8313e3fcd0d269cdc3009
054dd2cda1878af1f55f912a370e4afb6567699e68017c4d92b8b7862189211e
05ec1b147e08446e332b8ec3f4a9dcd89a619525042d698a26a7629fe0eb9789
07ac08ee22912420217af9db3ce9542d4286f43a5b898f585f699466d239ba12
15fd90222d56bfca3e232eeddb0c8d2aac083561cb7b0132b1483c75497a25aa
1910c1735122ac8766b0f5235d793d520973ae1438b85b23ecd82b7ea620c7ae
22bd44abea944c7e8e33801eceb1fc3386475d1f20a0972b4a279351086fcc00
32da8efa2bc38348594dd4a528f8cc190abe3ffee6f0d3ac6433e22903c4451a
3f96d2477fa8f124cccc066fcff4d1579185301e5b765c7b96d60c1025b32ed7
4293de17a028a1fcde0ad5e771f8f4d8833668daa34bd3211edf61c95cc57e47
4d85defc404894e22b11a1281eeb76d71a743e1f465d85f5e5071fc1d61d7773
5157ce3e8c043de786e49e29ead7a6f838ef24ecd74685621e854b9090fe4660
57dfc0c8d37161a05b83a2ccecb05a2d5bb20c6998f6e4b3231307dcf209c5ed
5a4ffbf300d40fd9a437758f328e4b827f27283f130222b288c92c47987abb69
608794d9566abf194706c2cb6117fcf943d8587cbbf293024a508e806e917604
625e1a9e84a53bc080bd74da8a884b3fbda3fd010a08d133c79f31500ae7e9c5
69643b1303290262cf4177c511f9f1dc27dbb48e50b34fa2eaba57f7a07f9f6c
6a441100399133a62f0e6558efa5129c78e5f23ce6a83e64103a5939bad5ddca
6fe7fe891dbbb3d1d2e71b73d3de46e90282913adb039f08d42d9de1c184751b
85d8fbe6d351e8e22b00a28c7f54599d4f5e630b42ad0904ad0bb8addf23d41e
865bf35e85b7bfe0bb1ea39694ebebd692280b014203eb71a722cae77ae4455e
8f8d9808ea4222e6b17a1bb271258fe90b9ba6859f327cef075eda0b477780df
a794052c667211774c536722177b42ddc96771aef1709fec846659677fa24695
acf3154743bc7a3d1afad7bfca6d7edbee7aac112fdb0e849b89355004ce3b82
ae6f9271326e659b954955f217d48a7de8e01bcb63163e75e1577d685729c35e
c2cb907d96e321ba973f7c3b44eb2ae1fce5c642ea60edf78e70ffe5d8251942
cde2a0940deb9420e513a3bd4c3ce0acc84dea7f25ad674441c5c68678704eb4
d6aed6b497dfcffd2ef6d5e1df6a62922bd1ba64db6335d9b3ad9b9e2fbee72c
d93ff174670f174e5dd717362be9c319e25015f4acf780ef52450a54f03eba85
e11785ba860053e88beee6fd28c60908bf6b06f9bf86b9a1052861caff18d87e
e1bf64ec8cd921330bb26bf7bf51a5dce8bbf7e2b4526fb01332450ba5b72e4b
f8d03472b3217e4dfeb2db7beb5c0066add6fcdf430d28479b5ad7e234b1cff5
[+] CSV with all company details some hashes and certificate serial numbers [+]