PC Gamer is supported by its audience. When you buy through links on our site, we may earn an affiliate commission. Learn more
By published
Officially signed with Nvidia codes, RATs and Mimikatz are rife. Here are the signatures to look out for.
Because of leaked data linked to an Nvidia hack by a group calling itself Lapsus$, stolen code-signing certificates are being used to gain remote access to unsuspecting machines, and otherwise deploy malicious software.
According the Techpowerup, the certificates are being used to «develop a new breed of malware,» and BleepingComputer lists Cobalt Strike beacons, Mimikatz, backdoors, and Remote Access Trojans (RATs) as just some of the malware being deployed by this means.
If you’re not aware, a code-signing certificate is something devs use to sign off executable files and drivers before rolling them out to the public. It’s a more secure way for Windows and prospective users to verify the ownership of the original file. Microsoft requires kernel-mode drivers to be code signed, otherwise the OS will refuse to open the file.
If some hooligan signs off malware with a genuine code from Nvidia, your PC may not be able to catch the malware before it unpacks, and wreaks havoc on your system.
The recent digital siege of Nvidia saw Lapsus$ demanding the company release a hashrate limiter bypass, a demand that was not met. The fallout resulted in not only code-signing certificates being leaked, but also 71,000 of employee’s credentials, Nvidia’s DLSS source code, and perhaps even some next-gen GeForce GPU names.
As part of the #NvidiaLeaks, two code signing certificates have been compromised. Although they have expired, Windows still allows them to be used for driver signing purposes. See the talk I gave at BH/DC for more context on leaked certificates: https://t.co/UWu3AzHc66 pic.twitter.com/gCrol0BxHdMarch 3, 2022
Best gaming desk: the ultimate PC podiums
Best PC controller: sit back, relax, and get your game on
Of course, it didn’t take long for the leaked certificate codes to join the arsenal for hackers lurking around the web, who pounced on the potential to hide behind Nvidia’s genuine codes in order to carry out their malevolent plans.
Now the codes are being used to sign certificates for Windows drivers, along with Quasar RATs, as VirusTotal shows currently, «46 security vendors and 1 sandbox flagged this file as malicious.»
BleepingComputer, thanks to the keen reporting of security researchers Kevin Beaumont and Will Dormann, notes the following serial numbers as those to look out for:
Both codes are effectively expired Nvidia signatures, but your OS will still let them pass just the same. Just something to keep an eye on if you’re thinking of downloading a file you think may have been tampered with.
There are ways to tell Windows not to allow these signed codes through, but may well be awkward to implement if you don’t have a history in IT. They may also be a pain when you actually come to install a legitimately signed Nvidia driver.
As always, stay safe out there.
Screw sports, Katie would rather watch Intel, AMD and Nvidia go at it. She can often be found admiring AI advancements, sighing over semiconductors, or gawping at the latest GPU upgrades. She’s been obsessed with computers and graphics since she was small, and took Game Art and Design up to Masters level at uni. Her thirst for absurd Raspberry Pi projects will never be sated, and she will stop at nothing to spread internet safety awareness—down with the hackers.
Sign up to get the best content of the week, and great gaming deals, as picked by the editors.
Thank you for signing up to PC Gamer. You will receive a verification email shortly.
There was a problem. Please refresh the page and try again.
PC Gamer is part of Future US Inc, an international media group and leading digital publisher. Visit our corporate site.
© Future US, Inc. Full 7th Floor, 130 West 42nd Street, New York, NY 10036.
