Nvidia’s Stolen Code-Signing Certs Used to Sign Malware

Nvidia certificates are being used to sign malware, enabling malicious programs to pose as legitimate and slide past security safeguards on Windows machines.

Two of NVIDIA’s code-signing certificates were part of the Feb. 23 Lapsus$ Group ransomware attack the company suffered – certificates that are now being used to sign malware so malicious programs can slide past security safeguards on Windows machines.

The Feb. 23 attack saw 1TB of data bleed from the graphics processing units maker: a haul that included data on hardware schematics, firmware, drivers, email accounts and password hashes for more than 71,000 employees, and more.

Security researchers noted last week that binaries that hadn’t been developed by NVIDIA, but which had been signed with its stolen certificate to come off like legitimate NVIDIA programs, had appeared in the malware sample database VirusTotal.

The signed binaries were detected as Mimikatz – a tool for lateral movement that allows attackers to enumerate and view the credentials stored on the system – and for other malware and hacking tools, including Cobalt Strike beacons, backdoors and remote access trojans (RATs) (including a Quasar RAT [VirusTotal] and a Windows driver [VirusTotal]).

Gist that contains @virustotal Enterprise

Read More: https://threatpost.com/nvidias-stolen-code-signing-certs-sign-malware/178784/