Click Studios revokes the digital certificate used by the malware left by Follina.

Business Password Management Developer Click Studios has revoked the digital certificate used to sign the recent and actively exploited Malicious Zero Vulnerability Software for Microsoft Office.

An unnamed antivirus vendor contacted the Adelaide-based company to inform them that some copies of malware delivered through Follina were signed by Click Studios’ DigiCert SHA 256 certificate.

Because digital certificates are used to ensure code integrity, Click Studios asked DigiCert to revoke the credential, which is typically used to sign your Passwordstate password management software.

“Although no passwordstate code or functionality has been directly targeted or affected, we have asked DigiCert to revoke the certificate.

“Once revoked, the availability of instances of Passwordstate may be affected through the operating system, antivirus, or endpoint protection software,” Click Studios said. [pdf]. “

Click Studios doesn’t know how the certificate was obtained by the attackers, but said it can’t allow the credential to be used to digitally sign malware.

A new certificate has been obtained to sign Click Studios software, and the company has compiled Passwordstate to include the updated credential.

Follina abuses the Microsoft Office Protocol Remote Template feature to run code remotely with the MSDT Diagnostic Tool, avoiding the detection of Defender’s anti-malware utility.

Leave a Comment

Your email address will not be published. Required fields are marked *