Skip to main content

Hackers are using stolen Nvidia certificates to hide malware

Nvidia code-signing certificates that were extracted from a recent hack of the chip maker are being used for malware purposes, according to security researchers.

Hacking group LAPSUS$ recently claimed to have stolen 1TB of data from Nvidia. Now, sensitive information has appeared online in the form of two code-signing certificates that are used by Nvidia developers to sign their drivers.

A person surrounded by several computers types on a laptop.

As reported by BleepingComputer, the compromised signing certificates expired in 2014 and 2018, respectively. However, Windows still enables drivers to be authorized with these certificates. As a result, malware can be masked by them in order to appear trustworthy, subsequently paving the way for harmful drivers to be opened in a Windows PC without being detected.

Certain variations of malware that were signed with the aforementioned Nvidia certificates were discovered on VirusTotal, a malware scanning service. The samples that were uploaded found that they were being used to sign hacking tools and malware, including Cobalt Strike Beacon, Mimikatz, backdoors, and remote access trojans.

One individual was able to use one of the certificates to sign a Quasar remote access trojan. In another case, a Windows driver was signed by a certificate, which resulted in 26 security vendors flagging the file as malicious as of the time of this writing.

BleepingComputer says certain files could in all likelihood have been uploaded to VirusTotal by security researchers. There is also evidence that appears to suggest that other files that were checked by the service were uploaded by individuals and hackers who wish to spread malware; one such file was flagged as malicious by 54 security vendors.

Once a threat actor uncovers the method to integrate these stolen certificates, they can make programs that appear to be official Nvidia applications. Once opened, malicious drivers will then be loaded onto a Windows system.

David Weston, director of enterprise and OS security at Microsoft, commented on the situation on Twitter. He stated that an admin will be able to configure Windows Defender Application Control (WDAC) policies in order to manage which specific Nvidia driver can be loaded onto the system. However, as BleepingComputer points out, being familiar with implementing WDAC is not a common trait among the average Windows user.

So what does this all actually mean for Windows users? In a nutshell, those who create malware can target individuals with malicious drivers that can’t be easily detected. They typically spread such files through Google via fake driver download websites. With this in mind, don’t download any drivers from suspicious and untrustworthy websites. Instead, download them directly from Nvidia’s official website moving forward. Microsoft, meanwhile, is likely working on revoking the certificates in question.

Elsewhere, LAPSUS$ is expected to release a 250GB hardware folder it obtained from the Nvidia hack. It initially threatened to make it available last Friday should Nvidia fail to make its GPU drivers completely open-source “from now on and forever.” The group has already leaked Team Green’s proprietary DLSS code, while it also claims to have stolen the algorithm behind Nvidia’s crypto-mining limiter.

Editors' Recommendations

Zak Islam
Computing Writer
Zak Islam was a freelance writer at Digital Trends covering the latest news in the technology world, particularly the…
Great, hackers are now using ChatGPT to create malware
A laptop opened to the ChatGPT website.

A new threat has surfaced in the ChatGPT saga, with cybercriminals having developed a way to hack the AI chatbot and inundate it with malware commands.

The research firm Checkpoint has discovered that hackers have designed bots that can infiltrate OpenAI's GPT-3 API and alter its code so that it can generate malicious content, such as text that can be used for phishing emails and malware scripts.

Read more
Chrome’s take on Nvidia DLSS is set to launch, but you can’t use it yet
Three RTX 4080 cards sitting on a pink background.

Exciting new Nvidia tech is coming to Google Chrome, and on the browser side, the update is ready. We're talking about Nvidia's RTX Video Super Resolution (VSR), which is said to support upscaling up to 4K.

However, if you're itching to try it out, we have some bad news -- you can't use it just yet.

Read more
Experts fear ChatGPT will soon be used in devastating cyberattacks
The ChatGPT name next to an OpenAI logo on a black and white background.

ChatGPT has taken the world by storm in recent months, but just as it has amazed people with its technical capabilities, concerns have also been raised over its potential misuse. Now, it seems some IT leaders are worried it will soon be used in major cyberattacks, with the potential to cause devastation in the future.

In a survey of 1,500 IT and cybersecurity professionals conducted by BlackBerry, 51% of respondents believed that ChatGPT will be responsible for a successful cyberattack in the next 12 months. As much as 78% feel that attack will happen within two years, while a handful think it could happen within the next few months.

Read more