Microsoft Defender mislabels DigiCert certificates as Trojan
▼ Summary
– Microsoft Defender falsely flagged legitimate DigiCert root certificates as malware starting April 30, removing them from Windows trust stores on some systems.
– The false positives were caused by a Defender signature update, but Microsoft fixed the issue in Security Intelligence update version 1.449.430.0.
– The false alerts stemmed from Microsoft’s response to a recent DigiCert breach, where attackers stole code-signing certificates used to sign malware.
– In the DigiCert incident, hackers compromised a support analyst’s device and obtained initialization codes for EV code-signing certificates, leading to 60 certificates being revoked.
– The flagged root certificates in Windows are distinct from the revoked code-signing certificates used in the “Zhong Stealer” malware campaign.
Microsoft Defender recently triggered a wave of false positive alerts, mistakenly flagging legitimate DigiCert root certificates as the Trojan:Win32/Cerdigent.A!dha threat. The error, which began after a Defender signature update on April 30th, caused widespread concern among Windows users and, in some cases, led to the automatic removal of these certificates from the system’s trust store.
Cybersecurity researcher Florian Roth first identified the issue, noting that the false positives stemmed from a specific signature update. Administrators around the globe soon reported that their DigiCert root certificate entries were being detected as malware. On affected systems, these entries were deleted from the AuthRoot store, located under the Registry key: `HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\`. The two specific certificates flagged were `0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43` and `DDFB16CD4931C973A2037D3FC83A4D7D775D05E4`.
The alarm was so severe that some users, fearing a real infection, opted to reinstall their entire operating system. Microsoft has since addressed the problem with Security Intelligence update version 1.449.430.0 (the latest being 1.449.431.0), which reportedly fixes the detections and restores previously removed certificates. Users can manually force this update by navigating to Windows Security > Virus and threat protection > Protection updates and clicking Check for Updates.
Microsoft confirmed to BleepingComputer that the false positives were tied to detections for compromised certificates from a recent DigiCert security breach. “Following reports of compromised certificates, Microsoft Defender immediately added detections for malware in our Defender Antivirus Software to help keep customers protected,” the company stated. “Earlier today we determined false positive alerts were mistakenly triggered and updated the alert logic. Microsoft Defender suppressed and cleaned up the alerts for customer environments. Customers should update to Security Intelligence version 1.449.430.0 or later, but do not need to take additional action for these alerts.”
The confusion stems from a real incident: a DigiCert security breach in early April. Attackers targeted DigiCert’s support team by sending malicious ZIP files disguised as screenshots. After several blocked attempts, one support analyst’s device was compromised, followed by a second system that remained undetected due to a “sensor gap” in endpoint protection. Using access to the breached support environment, the hacker exploited a feature in DigiCert’s internal portal to view customer accounts from the customer’s perspective. This exposed initialization codes for previously approved but undelivered EV code-signing certificate orders.
“Possession of an initialization code, combined with an approved order, is sufficient to obtain the resulting certificate,” DigiCert explained in its incident report. The company ultimately revoked 60 code-signing certificates, including 27 linked to a Zhong Stealer malware campaign. Eleven of those were identified through community reports, and 16 were discovered during DigiCert’s own investigation.
This aligns with earlier findings from security researchers like Squiblydoo, MalwareHunterTeam, and g0njxa, who observed newly issued DigiCert EV certificates used in malware campaigns. Certificates issued to companies such as Lenovo, Kingston, Shuttle Inc, and Palit Microsystems were being used to sign malware. “What do Lenovo, Kingston, Shuttle Inc, and Palit Microsystems have in common?” Squiblydoo posted on X. “EV Certificates from these companies were issued and used by a Chinese crime group, #GoldenEyeDog (#APT-Q-27)!”
The malware, named Zhong Stealer, functions more like a remote access trojan (RAT) than a simple infostealer. Researchers detail its distribution through phishing emails containing fake images, a first-stage executable that displays a decoy, retrieval of a second-stage payload from cloud storage like AWS, and the use of signed binaries and loaders tied to legitimate vendors.
It is critical to understand that the certificates flagged by Microsoft Defender are root certificates in the Windows trust store. They do not match the revoked DigiCert code-signing certificates used to sign malware. The false positive was a defensive overreaction to the DigiCert breach, not an indication that those root certificates were compromised.
(Source: BleepingComputer)
