Adversaries increasingly leverage diverse techniques to distribute malicious payloads across the web. One common, low-cost tactic is the hijacking of digital signatures and their attachment to malicious binaries, with the intent of deceiving both web browsers and operating systems. While code-signing certificates have traditionally served to verify the authenticity and integrity of software, adversaries now exploit these same certificates to evade detection mechanisms and facilitate the propagation of malicious code. This study seeks to empirically evaluate how modern web browsers respond to untrusted code by analyzing their reactions to signed malicious binaries. Our analysis shows that browsers' responses to certificate abuses may differ significantly, and the operating system may respond ineffectively potentially leaving end-users vulnerable to straightforward adversarial tactics. We also show that it is possible to significantly reduce the attack surface against certificate abuse with the use of a browser extension.
