NVIDIA Certificates Are Being Used to Sign Malware and Trojans on Windows

A short while back, NVIDIA was hacked by a South American hacker group calling themselves Lapsus$. In addition to the source code for DLSS and LHR, the miscreants also leaked confidential hardware header and C++ files containing the configuration, parameters, and other firmware details of existing and future GPUs. Furthermore, the leak also includes two NVIDIA certificates used for signing the drivers and other executables distributed by the chipmaker.

A digital certificate allows developers to digitally sign executables and drivers so that Windows can verify their authenticity, thereby avoiding a tampered file from a malicious source. After Lapsus$ leaked NVIDIA’s certificate, it was quickly picked up by cyberthieves and bullies to sign malware, trojans, and backdoors which were then circulated on the internet.

Going by the samples uploaded to VirusTotal (a malware scanning service), the certificates were used to sign various malware and hacking tools, such as Cobalt Strike beacons, Mimikatz, backdoors, and remote access trojans.

Although both the NVIDIA certificates are expired, Windows still allows the installation of a driver signed with them. Microsoft has issued a statement acknowledging the security issue, and it should be fixed soon.

Areej Syed

Processors, PC gaming, and the past. I have written about computer hardware for over seven years with over 5000 published articles. I started during engineering college and haven't stopped since. On the side, I play RPGs like Baldur's Gate, Dragon Age, Mass Effect, Divinity, and Fallout. Contact:
Back to top button