There's a flourishing trade in illicit code-signing certificates, and even extended validation certificates can be purchased for a few thousand dollars.
That's the conclusion of a study by American and Czech researchers, with input from Symantec Labs (the company's technical director Christopher Gates is a co-author).
The research found that the success of Microsoft's Windows Defender SmartScreen has forced attackers to change tactics. Once, malware authors would seek out code-signing certificates that had been compromised. During 2017, however, paper says “these methods have become secondary to purchasing certificates from underground vendors”. The paper cited platform protections like SmartScreen as driving this change.