Hi,
I am the developer owning the Akeo Consulting
signing credential, which is the one being used to sign the popular Rufus Windows application.
I was recently made aware that you recently decided to add the signing certificate as knownbad in commit 033a1d8 apparently on a report from https://capesandbox.com/analysis/444899/
From reading on that source report you used, whereas it appears that one did indeed tried to make it look like my signature was applied onto a malware executable, the report from said malware also states, when you click on the Digital Signature
section and then look at the Microsoft Certificate Validation (Sign Tool)
section:
CryptCATAdminCalcHashFromFileHandle returned error: 0x800700C1 AI}2 is not a valid Win32 application. SignTool Error: WinVerifyTrust returned error: 0x80096010 The digital signature of the object did not verify.
So, if my interpretation of the report is correct, the signature for the executable where my signature was found is invalid and therefore, the conclusion that my credentials have been stolen should be discounted and therefore, Akeo Consulting
should be removed from knownbad.
I also see, from another commented section in knownbad, that this does not appear to be the first time where Akeo Consulting
was added as a potentially stolen certificate, before it was removed...
For the record, the Akeo Consulting
credential I am using for signing is an EV Authenticode credential, which, like all EV credentials, resides on a hardware security token (therefore, not something that can be stealthily duplicated) that I have right under my eyes aat the moment, and therefore that I can also confirm can not have been stolen.
So, I hope you can rectify your YARA rule and try not to add certificates that come from a source that also indicates that the digital signature of the malware failed to validate.
Thank you.