Hackers Signing Malware With Stolen NVIDIA Certificates


Weeks ago, the hacker group known as LAPSUS$ broke into NVIDIA’s servers and grabbed almost 1TB of delicate information. The gathering then, at that point, continued to hold said information emancipate, requesting that the GPU brand pay them so as not to deliver data relating to its chipset records, illustrations, and silicon utilized. As of late, apparently, the gathering is currently involving its not well-gotten gains for something different: marking malware off with terminated NVIDIA authentications.

Security experts have discovered that the signing certificate that was also included in this first batch of files is now used by malware. What is important to note here is that both leaked signing certificates are expired, however, Windows operating system still allows the drivers signed with those certificates to be loaded with the system which poses a great security risk.

Security researchers Kevin Beaumont and Will Dormann shared that the stolen certificates utilize the following serial numbers:


Some of the files were likely uploaded to VirusTotal by security researchers but others appear to be used by threat actors for malware campaigns.

Security researcher Florian Roth (@cyb3rops) shared the statement on Twitter as Now we see many malware samples signed with the leaked NVIDIA certs on @virustotalFlorian Roth

VirusTotal Queries:

VT Dorks to Find Samples Signed with Leaked NVIDIA Certificates.

Samples (Munin output), hashes, and Infos:

Click Google Docs for sample hash lookups.

YARA Signature:

Github Link

import “pe”

rule SUSP_NVIDIA_LAPSUS_Leak_Compromised_Cert_Mar22_1 {
description = “Detects a binary signed with the leaked NVIDIA certifcate and compiled after March 1st 2022”
author = “Florian Roth”
date = “2022-03-03”
modified = “2022-03-04”
score = 70
reference = “https://twitter.com/cyb3rops/status/1499514240008437762”
uint16(0) == 0x5a4d and filesize < 100MB and pe.timestamp > 1646092800 and // comment out to find all files signed with that certificate
for any i in (0 .. pe.number_of_signatures) : (
pe.signatures[i].issuer contains “VeriSign Class 3 Code Signing 2010 CA” and (
pe.signatures[i].serial == “43:bb:43:7d:60:98:66:28:6d:d8:39:e1:d0:03:09:f5” or
pe.signatures[i].serial == “14:78:1b:c8:62:e8:dc:50:3a:55:93:46:f5:dc:c5:18”

Hunting for NVIDIA Certificates:

(Source: crowdstrike )

Find NVIDIA Signed Software

First, we want to see how much stuff we’re dealing with. To do this, we’ll look for binaries signed with NVIDIA’s code signing certificate. If we want to cast the widest possible net, we can look for all NVIDIA signed binaries like so:

index=json ExternalApiType=Event_ModuleSummaryInfoEvent 
| search SubjectCN IN ("NVIDIA Corporation") 
| lookup local=true appinfo.csv SHA256HashData OUTPUT FileName, ProductName, ProductVersion , FileDescription , FileVersion , CompanyName 
| fillnull value="Unknown" FileName, ProductName, ProductVersion , FileDescription , FileVersion , CompanyName
| stats values(SubjectDN) as SubjectDN, values(SHA256HashData) as sha256 by IssuerCN, FileName, ProductName, ProductVersion , FileDescription , FileVersion , CompanyName
| sort + FileName

This list will (likely) be very, very large.

If we want to be more restrictive, we can key-in on specific certificate serial numbers — below are the two serial numbers that we’ve observed being used in open source malware repositories (1) (2). If, after this post is published, you wish to add additional serial numbers to the scope of the search, just append them to the list in the second line. That query will look like this:

index=json ExternalApiType=Event_ModuleSummaryInfoEvent 
| search SubjectSerialNumber IN (43bb437d609866286dd839e1d00309f5, 14781bc862e8dc503a559346f5dcc518) 
| lookup local=true appinfo.csv SHA256HashData OUTPUT FileName, ProductName, ProductVersion , FileDescription , FileVersion , CompanyName 
| fillnull value="Unknown" FileName, ProductName, ProductVersion , FileDescription , FileVersion , CompanyName
| stats values(SHA256HashData) as sha256 by IssuerCN, SubjectCN, SubjectDN, FileName, ProductName, ProductVersion , FileDescription , FileVersion , CompanyName
  • Line one grabs all the Event_ModuleSummaryInfoEvent data from the selected search window. This event will show PE Authenticode and Certificate data.
  • Line two narrows our scope to the two certificate serial numbers we have in scope at the moment.
  • Line three uses a lookup table to see if the ThreatGraph knows what the name of this file is.
  • Line four sets the value of columns to “Unknown” if a value can’t be found.
  • Line five organizes our output to make it a little easier to read.

The output should look like this:

Right at the top of both queries, you will see there is a list of “Unknown” SHA256 values. To be clear, this DOES NOT mean these are bad, rogue, etc. This is the collection of SHA256 values that we’re going to further research.

Know the Unknowns

To get a handle on the unknowns, we’re going to create another search. In my list above (in the second query), the following hashes don’t have data associated with them:


If you’re using the first query, your list of hashes will be MUCH longer. That’s fine, just place the giant list into the same section outlined below.

Note: in our first query where we found these hashes, we use the event Event_ModuleSummaryInfoEvent. This data persists in Falcon for one year; regardless of the retention package you purchased. The query we’re about to run uses events that are linked to your specific retention period. For this reason, when we run this next query I’m not expecting to see all the SHA256 values present. They could be, but they also might not be.

Here is the query:

index=main sourcetype IN (ProcessRollup*, ImageHash*, PeFileWritten*, DriverLoad*) event_platform=win event_simpleName IN (ProcessRollup2, ImageHash, PeFileWritten, DriverLoad)
| search SHA256HashData IN (
| eval falconPID=coalesce(ContextProcessId_decimal, TargetProcessId_decimal)
| eval ProcExplorer=case(falconPID!="","https://falcon.crowdstrike.com/investigate/process-explorer/" .aid. "/" . falconPID)
| stats values(FileName) as fileName, dc(aid) as endpointCount, count(aid) as runCount, values(FilePath) as filePaths, values(event_simpleName) as eventType by SHA256HashData, ProcExplorer

Again, what you need to do to customize this query is to remove the block of my SHA256 values and replace them with your “Unknown” list.

The query is looking for file write, file execute, DLL load, and driver load events that belong to one of these SHA256 values we’ve specified. The output will look similar to this:

Source : https://www.reddit.com/r/crowdstrike/comments/t81heu/20220306_cool_query_friday_situational_awareness/?utm_medium=android_app&utm_source=share

All of this activity appears normal to me — with the exception of the last line as it appears I have a co-worker running Fallout 4 on a system with Falcon installed on it (sigh).

If you want to drill-in on any of these results, you can click the “ProcExplorer” link to be taken to the Process Explorer view.

Frequency Analysis

The most effective way to deal with a dataset this large and an event this common is likely to perform frequency analysis. The following can help with that:

index=main sourcetype IN (ProcessRollup*, ImageHash*, PeFileWritten*, DriverLoad*) event_platform=win event_simpleName IN (ProcessRollup2, ImageHash, PeFileWritten, DriverLoad)
| search SHA256HashData IN (
| eval falconPID=coalesce(ContextProcessId_decimal, TargetProcessId_decimal)
| eval ProcExplorer=case(falconPID!="","https://falcon.crowdstrike.com/investigate/process-explorer/" .aid. "/" . falconPID)
| rex field=FilePath ".*\\HarddiskVolume\d+(?<trimmedPath>.*)"
| stats values(FileName) as fileName, dc(aid) as endpointCount, count(aid) as runCount, values(trimmedPath) as filePaths, values(event_simpleName) as eventType by SHA256HashData

The output will look similar to this:

From here, I might look for things in AppData/Temp, a users Download folder, or similar — as those are not places I expect NVIDIA binaries to be. I also might initially target exe files as NVIDIA driver files are typically in the sys or dll format.

The queries can be further customized to suit your specific hunting needs, but this is meant to get those creative juices flowing.

(Source: crowdstrike )

