Malicious parties use stolen Nvidia certificates to spread malware

Security researchers have discovered that two stolen driver certificates from Nvidia have been used to distribute malware. The certificates have expired, but can still be used in Windows to install drivers. This way, malware can appear legitimate.

The use of the certificates was noticed by security researchers Florian Roth† Kevin Beaumont and Will Dormann† The certificates came a week ago lying on the street as part of Nvidia data theft, in which a criminal ransomware gang stole 1TB of data from Nvidia and put it online when Nvidia refused to negotiate with the gang. That dump also included the source code of Nvidia DLSS and the code names of various upcoming GPUs from Nvidia online.

The certificates are used by Nvidia for signing executables and drivers in Windows, to determine the origin of an exe or driver. This should prevent fake drivers or malware from running on a Windows PC. According to the researchers, the certificates have been misused to sign malware and hacker tools. In any case, it concerns mimikatz.exe and hamakaze.exe, can be read on VirusTotal. Mimikatz is a suite of hacking tools and is used, among other things, for reading unsecured passwords and other credentials. Hamakaze.exe, also known as KDU, is a trojan.

The certificates are also misused to certify a Quasar remote access Trojan and a Windows driver, Bleeping Computer writes. The two certificates have expired since 2014, but in Windows it is still possible to sign a driver with the certificates. As a result, they can be misused in Windows to make an output file or driver appear legitimate; after all, it looks like an Nvidia driver or program.

For the time being, the certificates have not yet entered the list of withdrawn certificates in Windows, but it is possible in Windows Defender Application Control to set which Nvidia drivers can and cannot be loaded on a system, writes David Weston of Microsoft on Twitter†