summary
Certutil deals with official system certificates; it is a Windows utility program used to dump and display certification authority (CA) configuration information. It has many functions and capabilities, such as providing checksums, encoding files and even retrieving files from the Internet. While it is a useful tool, it is also used in malicious executables because of these functionalities.
encoding and magic bytes
Certificate files are often encoded in Base64, which is the industry-standard format for SSL certificates. The most common web servers will generate a certificate-signing request and accept SSL certificates in Base64 format. Most file types follow a format on how they are constructed. This is represented as the magic byte at the beginning of the file header that helps identify the file type.
For example, the magic byte for an .exe file is MZ (4D 5A). It is also possible to identify an .exe file by viewing the first six bytes of the Base64 header, TvqQAA. See the Base64
Using CertUtil
CertUtil can act as the vehicle for downloading and decoding a payload. To demonstrate how malware often utilises CertUtil, in this lab you will be using the -encode and -decode options. Encode will encode a specified file to base64, while decode will reverse this function. To view the encoded file in its Base64 format, simply open it in a text editor such as Notepad.
certutil.exe [Options] [InFile] [OutFile]
Malware
Malicious actors can use CertUtil to communicate with their C2 servers to download payloads that are disguised as certificate files. An organisation’s firewall rules are generally triggered by an unidentifiable executable or a malicious binary. These rules will be ignored if the malicious file is disguised as an encoded certificate.
Many malware samples use this technique to download files and scripts onto an infected computer. This is because it bypasses the systems rules on unknown files being downloaded. By using CertUtil, a Windows utility that is often whitelisted by security programs, malware samples will be able to pull down scripts and files without any barriers.
Malware executables can take advantage of CertUtil by having a payload encoded and disguised as a certificate file, meaning an AV would not detect the payload. It can be used to easily install fake certificates for man-in-the-middle (MITM) attacks and to download Base64 or hexadecimal-encoded files disguised as certificates before decoding them.
Examples of CertUtil in malware
A few examples of CertUtil being used in bigger malware campaigns can be seen below.
This malware was used in a targeted attack on the Saudi Government. It uses a social engineering tactic to trick users into executing code via a word macro. It then attempts to steal files of interest from the victim’s system. CertUtil is used by this malware to download the payload, decode it, and execute it as a PE file.
This malware targeting Brazil not only uses CertUtil to download the payload onto the victim’s system but also abuses it. It copies certutil.exe and renames it to certis.exe, which is an evasive measure, because the use of certutil in malware is quite well known. It then uses certis.exe to download the payload.
Retefe is a banking trojan that was used to target victims in Sweden, Switzerland and Japan. It uses tailored ‘order’ and ‘receipt’ emails based on the country it is targeting. Retefe writes the root certificate to the disk and uses CertUtil to install it.