The cybersecurity firm Emsisoft has reported that an unknown threat actor is using fake code-signing certificates to impersonate their organization and to target customers using its security products. Code signing certificates are digital signatures that are used to sign an application so that users, software, and the OS can verify that the software has not been tampered with since it was signed by the publisher. Threat actors take advantage of code signing certificates by creating fake certificates that appear to be related to the trustworthy entity. Typically, this is in an attempt to trick an analyst into believing that any security alerts pertaining to the application are a false positive, which sometimes tricks the user into allowing the application.

Emsisoft believes that the threat actor gained initial access to the environment through either brute-forcing RDP or through the use of stolen credentials. Following this, an open-source remote application known as “MeshCentral” was installed on the host – this application was renamed to “smss.exe” and signed by the fake “Emsisoft Server Trusted Network CA.” While Emsisoft’s security product flagged and quarantined the file due to the invalid signature, if an analyst was to treat this as a false positive due to the spoofed certificate, this would give the attackers full access to the compromised device.