Identifying forensic signals: The campaigns that leverage trusted certificates undermine the trust model enterprises rely on. Signed malware bypasses app-allow lists, browser warnings, OS checks, and antivirus assumptions about signed code. When the file poses as Teams or PuTTY, employees don’t hesitate to download it as it looks normal.”Once inside, the malware runs with fewer restrictions, grabs persistence, and brings in heavier payloads. It also complicates investigations because the usual red flags are missing. And since attackers piggyback on everyday software ecosystems, one endpoint foothold can turn into lateral movement and, eventually, ransomware fast,” added Jaju.Experts say defenders must change their mindset. “We shouldn’t assume signed files are safe,” said Devroop Dhar, MD and co-founder at Primus Partners. “Start by checking where the installer came from, was it a vendor site or a sketchy search-ad link. These little details often tell the whole story. New or mismatched publisher names, or certificates issued unusually recently, should raise suspicion. On endpoints, look for rundll32, PowerShell, or msiexec process chains, not specific malware names, but recurring behavior patterns.”Jaju added that defense now depends on behavioral analytics and proactive validation. “Use EDR that focuses on behavior instead of trust tags. pin certificates for mission-critical apps so only known-approved certs can run. Feed threat intelligence streams into detection pipelines so revocations and IOCs trigger action immediately. Add DNS controls and filtering to block fake download paths.”Dhar emphasized that CISOs must treat signed malware and fake installers as part of today’s landscape. “The focus should shift to verification: where the file came from, who signed it, and what it did right after launch.” Both experts agree that the problem extends beyond individual organizations. Abuse of Microsoft’s trusted signing service exposes systemic cracks that demand tighter certificate vetting and stronger industry-wide oversight.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4083208/rhysida-ransomware-exploits-microsoft-certificate-to-slip-malware-past-defenses.html
