Microsoft Defender wrongly flags DigiCert certs as Trojan:Win32/Cerdigent.A!dha

Update: Added Microsoft’s statement to the end of the first section of this article.

Microsoft Defender is detecting legitimate DigiCert root certificates as Trojan:Win32/Cerdigent.A!dha, resulting in widespread false-positive alerts, and in some cases, removing certificates from Windows.

According to cybersecurity expert Florian Roth, the issue first appeared after Microsoft added the detections to a Defender signature update on April 30th.

Today, administrators worldwide began reporting that DigiCert root certificate entries were flagged as malware and, on affected systems, removed from the Windows trust store.

According to a Reddit post about the false positives, the detected certificates are:

• 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43
• DDFB16CD4931C973A2037D3FC83A4D7D775D05E4

On impacted systems, these certificates were removed from the AuthRoot store under this Registry key:

HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\

These false positives have led to concern among Windows users, with some thinking their devices were infected and reinstalling the operating system to be safe.

Microsoft has reportedly fixed the detections in Security Intelligence update version 1.449.430.0, and the most recent update is now 1.449.431.0.

Other reports on Reddit indicate that the fix also restores previously removed certificates on affected systems.

The new Microsoft Defender updates will automatically install, and Windows users can manually force an update by going into Windows Security > Virus and threat protection > Protection updates and clicking on Check for Updates.

After publishing this article, Microsoft confirmed that the false positives were linked to detections for compromised certificates from a recent DigiCert breach.

“Following reports of compromised certificates Microsoft Defender immediately added detections for malware in our Defender Antivirus Software to help keep customers protected. Earlier today we determined false positive alerts were mistakenly triggered and updated the alert logic,” Microsoft told BleepingComputer.

“Microsoft Defender suppressed and cleaned up the alerts for customer environments. Customers should update to Security Intelligence version 1.449.430.0 or later, but do not need to take additional action for these alerts. We have notified affected organizations and recommend administrators look for more details in the service health dashboard (SHD) within the M365 admin center.”

Linked to recent DigiCert breach

The false positives occur shortly after a disclosed DigiCert security incident that enabled threat actors to obtain valid code-signing certificates used to sign malware.

“A malware incident targeted a customer support team member. Upon detection, the threat vector was contained,” explains the DigiCert incident report.

“Our subsequent investigation found that the threat actor was able to procure initialization codes for a limited number of code signing certificates, few of which were then used to sign malware.”

“The identified certificates were revoked within 24 hours of discovery and the revocation date set to their date of issuance. As a precautionary measure, pending orders within the window of interest were cancelled. Additional details will be provided in our full incident report.”

According to DigiCert’s incident report, attackers targeted the company’s support staff in early April by creating support messages containing a malicious ZIP file disguised as a screenshot.

After multiple blocked attempts, one support analyst’s device was eventually compromised, followed by a second system that went undetected for a time due to an endpoint protection “sensor gap.”

Using access to the breached support environment, the hacker used a feature in DigiCert’s internal support portal that allowed support staff to view customer accounts from the customer’s perspective.

While limited in scope, this access exposed “initialization codes” to previously approved, but undelivered, EV code-signing certificate orders.

“Possession of an initialization code, combined with an approved order, is sufficient to obtain the resulting certificate (see Contributing Factors discussion below),” explained DigiCert.

“Since the threat actor was able to obtain these two pieces of information for a finite set of approved orders, they were able to obtain EV Code Signing certificates across a set of customer accounts and CAs.”

DigiCert says it revoked 60 code-signing certificates, including 27 linked to a “Zhong Stealer” malware campaign.

“11 were identified in certificate problem reports provided to DigiCert by community members linking the certificates to malware, and 16 were identified during our own investigation,” explained DigiCert.

Zhong Stealer malware campaign

This aligns with earlier reports from security researchers who had observed newly issued DigiCert EV certificates used in malware campaigns and reported them to DigiCert.

Researchers, including Squiblydoo, MalwareHunterTeam, and g0njxa, reported that certificates issued to well-known companies such as Lenovo, Kingston, Shuttle Inc, and Palit Microsystems were being used to sign malware.

“What do Lenovo, Kingston, Shuttle Inc, and Palit Microsystems have in common?,” posted Squiblydoo on X.

“EV Certificates from these companies were issued and used by a Chinese crime group, #GoldenEyeDog (#APT-Q-27)!”

The malware in this campaign is named “Zhong Stealer,” though analysis indicates it may be more like a remote access trojan (RAT) than an infostealer.

The researcher says the malware was distributed through the following attacks:

• Phishing emails deliver a fake image or screenshot
• A first-stage executable that displays a decoy image
• Retrieval of a second-stage payload from cloud storage such as AWS
• Use of signed binaries and loaders, including components tied to legitimate vendors

After DigiCert disclosed the incident, the researchers said the incident report explains how the certificates used in these malware campaigns were obtained.

It should be noted that the certificates flagged by Microsoft Defender are root certificates in the Windows trust store and do not match the revoked DigiCert code-signing certificates used to sign malware.