Recent measurements of the Windows code signing certificate ecosystem have highlighted various forms of abuse that allow malware authors to produce malicious code carrying valid digital signatures. However, the underground trade that allows miscreants to acquire such certificates is not well understood. In this paper, we take a step toward illuminating this trade by investigating the certificate black market from two separate perspectives. First, we identify 4 leading vendors of Authenticode certificates, we document how they conduct business, and we estimate their market share. Second, we dig deeper into the demand for code signing certificates by collecting a dataset of recently signed malware and by using it to study the relationships among malware developers, malware families, and certificates. We also establish indirect links between these two data sets by inferring that 5 certificates found in our signed malware samples had likely been purchased from one of the black market vendors we observed. Using this approach, we document a apparent shift in the methods that malware authors employ to obtain valid digital signatures. While prior studies have reported that most of the code signing certificates used by malware had been issued to legitimate developers and later compromised, we report that, in 2017, this method is not prevalent anymore. Instead, we gather evidence consistent with a stable underground market that represents the leading source of code signing certificates for malware authors. We also find that the need to bypass platform protections such as Microsoft Defender SmartScreen plays an important role in driving the demand for Authenticode certificates. Together, these findings suggest that the trade in certificates issued for abuse represents an emerging segment of the underground economy.



Network graph

Data sets

SHA2 of malware Serial Number CA
SHA2 of malware Serial Number CA