Leaked Nvidia certificates used to sign malware bypassing Windows detection

The Windows logo on a phone in front of a malware warning
(Image credit: Getty Images)

Security researchers have discovered malware being signed with Nvidia code signing certificates days after the LAPSUS$ group leaked a trove of the company’s stolen files.

Part of the stolen files included two code signing certificates and although they’re now expired, signing malware with them will still influence Windows into loading the malware onto systems.

Windows typically rejects drivers or executables signed using expired certificates. If the certificate was issued after 29 July 2015 then it would require a timestamp - a method of using trusted certificates after expiration - but certificates issued before that date, as in the case of these two Nvidia certificates, Windows will accept them without timestamps, expired or not, said Bill Demirkapi, offensive security at Zoom.

Such certificates are used so Windows users can verify the authenticity of any given driver or application. Signing malware with a legitimate, although expired certificate means Windows will be convinced the application is genuine and has not been modified by a third party.

Among the types of malware already discovered to be signed with Nvidia’s code signing certificates are Mimikatz, Cobalt Strike beacons, and remote access trojans, according to VirusTotal searches.


The best defence against ransomware

How ransomware is evolving and how to defend against it


"The recent Nvidia security breach involving certificate abuse is eerily like the one Opera suffered in 2013 and one that Adobe reported in 2012," said Pratik Selva, senior security engineer at Venafi. "If organisations do not properly secure the process and the infrastructure for managing code signing certificates, the likelihood of abuse, as well as the impact of any compromise, are both extremely high.

"Although the certificates have expired, Windows will still allow a driver signed by a company to be installed so that it still constitutes a risk," said Alexis Vanden Eijnde, senior security consultant at Prism Infosec. "Microsoft should soon add the certificates to their revocation list and this will prevent the malicious drivers signed by stolen certificates from being loaded into Windows."

Windows admins are advised to create custom policies in Windows Defender Application Control to filter out the approvals for specific signed certificates.

The Lapsus hacking group said last week Nvidia had until Friday 4 March 2022 to completely open source its GPU drivers across all operating systems or the complete collection of stolen files would be leaked online.

The group has provided few updates since the deadline has passed apart from announcing its second major leak in as many weeks. LAPSUS$ said on Friday that it obtained an array of source code belonging to Samsung which could lead to access to the “lowest level” of devices such as its Galaxy series of smartphones.

Connor Jones

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.