The new Windows CryptoAPI vulnerability disclosed by the NSA can be abused by malware developers to sign their executables so that they appear to be from legitimate companies. This creates trust in the program, which may cause a user to be more willing to execute them. Malware distributors are commonly creating fake companies to purchase code-signing certificates or steal certificates from other companies. As these certificates are exploiting a vulnerability, they cannot be revoked by certificate authorities or blocked on unpatched Windows devices. Once a certificate is reported to be used with malware, the authority responsible for this cert will revoke it so that it no longer works.
Source: https://www.bleepingcomputer.com/news/security/how-malware-gains-trust-by-abusing-the-windows-cryptoapi-flaw/