Click Studios revokes digital cert used by 'Follina' dropped malware

Enterprise password management developer Click Studios has revoked the digital certificate used to sign the malware involved in the recent and actively exploited zero-day vulnerability, Follina, for MIcrosoft Office.

An unnamed anti-virus vendor contacted the Adelaide-based company to advise it that some copies of malware delivered through Follina were signed by Click Studios' DigiCert SHA 256 certificate.

Since digital certificates are used to ensure the integrity of code, Click Studios asked DigiCert to revoke the credential, which is normally used sign its password management software Passwordstate.

"While no Passwordstate code or functionality has been directly targeted or affected we have requested DigiCert to revoke the certificate. 

"Once revoked your Passwordstate instances availability may be impacted through operating system, antivirus, or endpoint protection software," Click Studios said [pdf]."

Click Studios does not know how its certificate was obtained by attackers, but said it cannot allow the credential to be used to digitally sign malware.

A new certificate to sign Click Studios' software has been obtained, and the company has recompiled Passwordstate to include the updated credential.

Follina abuses the remote template feature in the Microsoft Office protocol to execute code remotely with the MSDT diagnostics tool, bypassing detection by the Defender anti-malware utility.