The new Windows CryptoAPI CVE-2020-0601 vulnerability disclosed by the NSA can be abused by malware developers to sign their executables so that they appear to be from legitimate companies. This creates trust in the program, which may cause a user to be more willing to execute them.
Most of the coverage of this vulnerability illustrates how the vulnerability can be exploited to spoof certificates used for TLS connections to web sites and perform MiTM attacks.
For example, Kudelski Security illustrated how they used the vulnerability to create a fake certificate that impersonates github.com. To protect users, Chrome added protections that block users from accessing sites using these spoofed certificates.
Spoofing web site certificates
This vulnerability, though, can also be used to spoof code-signing certificates.
When a developer releases a program, they can digitally sign the executables to assure users that the program is from a trusted source. If that user trusts the company, then their signed executables are most likely trustworthy as well and would be more apt to execute them.
Antivirus software may also whitelist software from being detected as malware if they utilize trusted and well-known digital signatures.
Using this new CryptoAPI vulnerability, malware distributors can create code-signing certificates that spoof legitimate companies so that their signed malware executables appear to be from a trusted company like Microsoft.
It's about trust
When running an executable in Windows that requires elevated, or administrative, privileges the operating system will display a User Account Control (UAC) prompt asking you to confirm if the permission shou ..