A security vendor has warned network security teams to be on high alert when reviewing code-signing certificates, after spotting an attempt to spoof one of its certs in order to disguise a cyber-attack.
Emsisoft claimed in a new blog post that after gaining initial access into a customer’s network, the attackers installed a dual-purpose remote access product known as MeshCentral.
It was signed with a certificate named “Emsisoft Server Trusted Network CA” in a bid to trick the security team into believing it was there legitimately, the AV vendor said.
“We believe this was done to make any detection of the application appear to be a false positive,” it said. “One of our products was installed and running on the compromised endpoint, after all, so an application that had supposedly been signed by an Emsisoft certificate may be believed to be safe and allow-listed.”