Skip to main content

Hackers are using stolen Nvidia certificates to hide malware

Nvidia code-signing certificates that were extracted from a recent hack of the chip maker are being used for malware purposes, according to security researchers.

Hacking group LAPSUS$ recently claimed to have stolen 1TB of data from Nvidia. Now, sensitive information has appeared online in the form of two code-signing certificates that are used by Nvidia developers to sign their drivers.

A person surrounded by several computers types on a laptop.
Image used with permission by copyright holder

As reported by BleepingComputer, the compromised signing certificates expired in 2014 and 2018, respectively. However, Windows still enables drivers to be authorized with these certificates. As a result, malware can be masked by them in order to appear trustworthy, subsequently paving the way for harmful drivers to be opened in a Windows PC without being detected.

Certain variations of malware that were signed with the aforementioned Nvidia certificates were discovered on VirusTotal, a malware scanning service. The samples that were uploaded found that they were being used to sign hacking tools and malware, including Cobalt Strike Beacon, Mimikatz, backdoors, and remote access trojans.

Get your weekly teardown of the tech behind PC gaming
Check your inbox!

One individual was able to use one of the certificates to sign a Quasar remote access trojan. In another case, a Windows driver was signed by a certificate, which resulted in 26 security vendors flagging the file as malicious as of the time of this writing.

BleepingComputer says certain files could in all likelihood have been uploaded to VirusTotal by security researchers. There is also evidence that appears to suggest that other files that were checked by the service were uploaded by individuals and hackers who wish to spread malware; one such file was flagged as malicious by 54 security vendors.

Once a threat actor uncovers the method to integrate these stolen certificates, they can make programs that appear to be official Nvidia applications. Once opened, malicious drivers will then be loaded onto a Windows system.

David Weston, director of enterprise and OS security at Microsoft, commented on the situation on Twitter. He stated that an admin will be able to configure Windows Defender Application Control (WDAC) policies in order to manage which specific Nvidia driver can be loaded onto the system. However, as BleepingComputer points out, being familiar with implementing WDAC is not a common trait among the average Windows user.

So what does this all actually mean for Windows users? In a nutshell, those who create malware can target individuals with malicious drivers that can’t be easily detected. They typically spread such files through Google via fake driver download websites. With this in mind, don’t download any drivers from suspicious and untrustworthy websites. Instead, download them directly from Nvidia’s official website moving forward. Microsoft, meanwhile, is likely working on revoking the certificates in question.

Elsewhere, LAPSUS$ is expected to release a 250GB hardware folder it obtained from the Nvidia hack. It initially threatened to make it available last Friday should Nvidia fail to make its GPU drivers completely open-source “from now on and forever.” The group has already leaked Team Green’s proprietary DLSS code, while it also claims to have stolen the algorithm behind Nvidia’s crypto-mining limiter.

Editors' Recommendations

Zak Islam
Former Digital Trends Contributor
Zak Islam was a freelance writer at Digital Trends covering the latest news in the technology world, particularly the…
This Google Chrome feature may save you from malware
Google Chrome app on s8 screen.

There are probably hundreds of thousands of Google Chrome extensions out there, and with so many options to choose from, it can be hard to know whether the plugin you want to install is hiding malware nasties.

That could become a thing of the past, though, as Google is testing a feature that will warn you if an extension you installed has been removed from its Chrome Web Store.

Read more
In the age of ChatGPT, Macs are under malware assault
A person using a laptop with a set of code seen on the display.

It's common knowledge -- Macs are less prone to malware than their Windows counterparts. That still holds true today, but the rise of ChatGPT and other AI tools is challenging the status quo, with even the FBI warning of its far-reaching implications for cybersecurity.

That may be why software developer Macpaw launched its own cybersecurity division -- dubbed Moonlock -- specifically to fight Mac malware. We spoke to Oleg Stukalenko, Lead Product Manager at Moonlock, to find out whether Mac malware is on the rise, and if ChatGPT could give hackers a massive advantage over everyday users.
State-sponsored attacks

Read more
Hackers are using AI to create vicious malware, says FBI
A hacker typing on an Apple MacBook laptop while holding a phone. Both devices show code on their screens.

The FBI has warned that hackers are running wild with generative artificial intelligence (AI) tools like ChatGPT, quickly creating malicious code and launching cybercrime sprees that would have taken far more effort in the past.

The FBI detailed its concerns on a call with journalists and explained that AI chatbots have fuelled all kinds of illicit activity, from scammers and fraudsters perfecting their techniques to terrorists consulting the tools on how to launch more damaging chemical attacks.

Read more