Adversaries may create, acquire, or steal code signing materials to sign their malware or tools. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. [1] The certificates used during an operation may be created, acquired, or stolen by the adversary. [2] [3] Unlike Invalid Code Signature, this activity will result in a valid signature.
Code signing to verify software on first run can be used on modern Windows and macOS/OS X systems. It is not used on Linux due to the decentralized nature of the platform. [1]
Code signing certificates may be used to bypass security policies that require signed code to execute on a system.
ID | Name | Description |
---|---|---|
S0504 | Anchor |
Anchor has been signed with valid certificates to evade detection by security tools.[4] |
S0584 | AppleJeus |
AppleJeus has used a valid digital signature from Sectigo to appear legitimate.[5] |
G0016 | APT29 |
APT29 was able to get SUNBURST signed by SolarWinds code signing certificates by injecting the malware into the SolarWinds Orion software lifecycle.[6] |
G0096 | APT41 |
APT41 leveraged code-signing certificates to sign malware when targeting both gaming and non-gaming organizations.[7][8] |
S0475 | BackConfig |
BackConfig has been signed with self signed digital certificates mimicking a legitimate software company.[9] |
S0234 | Bandook | |
S0534 | Bazar |
Bazar has been signed with fake certificates including those appearing to be from VB CORPORATE PTY. LTD.[11] |
S0520 | BLINDINGCAN |
BLINDINGCAN has been signed with code-signing certificates such as CodeRipper.[12] |
S0415 | BOOSTWRITE |
BOOSTWRITE has been signed by a valid CA.[13] |
S0144 | ChChes |
ChChes samples were digitally signed with a certificate originally used by Hacking Team that was later leaked and subsequently revoked.[14][15][16] |
S0611 | Clop | |
S0154 | Cobalt Strike |
Cobalt Strike can use self signed Java applets to execute signed applet attacks.[18][19] |
G0052 | CopyKittens |
CopyKittens digitally signed an executable with a stolen certificate from legitimate company AI Squared.[20] |
S0527 | CSPY Downloader |
CSPY Downloader has come signed with revoked certificates.[21] |
G0012 | Darkhotel |
Darkhotel has used code-signing certificates on its malware that are either forged due to weak keys or stolen. Darkhotel has also stolen certificates and signed backdoors and downloaders with them.[22][23] |
S0187 | Daserf |
Some Daserf samples were signed with a stolen digital certificate.[24] |
S0377 | Ebury |
Ebury has installed a self-signed RPM package mimicking the original system package on RPM based systems.[25] |
S0624 | Ecipekac |
Ecipekac has used a valid, legitimate digital signature to evade detection.[26] |
S0091 | Epic |
Turla has used valid digital certificates from Sysprint AG to sign its Epic dropper.[27] |
G0037 | FIN6 | |
G0046 | FIN7 |
FIN7 has signed Carbanak payloads with legally purchased code signing certificates. FIN7 has also digitally signed their phishing documents, backdoors and other staging tools to bypass security controls.[29][30] |
G0093 | GALLIUM |
GALLIUM has used stolen certificates to sign its tools including those from Whizzimo LLC.[31] |
S0168 | Gazer |
Gazer versions are signed with various valid certificates; one was likely faked and issued by Comodo for "Solid Loop Ltd," and another was issued for "Ultimate Computer Support Ltd."[32][33] |
S0342 | GreyEnergy |
GreyEnergy digitally signs the malware with a code-signing certificate.[34] |
S0170 | Helminth |
Helminth samples have been signed with legitimate, compromised code signing certificates owned by software company AI Squared.[35] |
S0697 | HermeticWiper |
The HermeticWiper executable has been signed with a legitimate certificate issued to Hermetica Digital Ltd.[36][37][38][39] |
S0698 | HermeticWizard |
HermeticWizard has been signed by valid certificates assigned to Hermetica Digital.[40] |
G0072 | Honeybee |
Honeybee uses a dropper called MaoCheng that harvests a stolen digital signature from Adobe Systems.[41] |
S0163 | Janicab |
Janicab used a valid AppleDeveloperID to sign the code to get past security restrictions.[42] |
G0094 | Kimsuky | |
G0032 | Lazarus Group |
Lazarus Group has digitally signed malware and utilities to evade detection.[44][45] |
G0065 | Leviathan |
Leviathan has used stolen code signing certificates to sign malware.[46][47] |
S0372 | LockerGoga |
LockerGoga has been signed with stolen certificates in order to make it look more legitimate.[48] |
G0045 | menuPass |
menuPass has resized and added data to the certificate table to enable the signing of modified files with legitimate signatures.[26] |
S0455 | Metamorfo |
Metamorfo has digitally signed executables using AVAST Software certificates.[49] |
G0021 | Molerats |
Molerats has used forged Microsoft code-signing certificates on malware.[50] |
S0284 | More_eggs |
More_eggs has used a signed binary shellcode loader and a signed Dynamic Link Library (DLL) to create a reverse shell.[28] |
S0210 | Nerex | |
G0040 | Patchwork |
Patchwork has signed malware with self-signed certificates from fictitious and spoofed legitimate software companies.[9] |
S0501 | PipeMon |
PipeMon, its installer, and tools are signed with stolen code-signing certificates.[52] |
G0056 | PROMETHIUM |
PROMETHIUM has signed code with self-signed certificates.[53] |
S0650 | QakBot | |
S0262 | QuasarRAT |
A QuasarRAT .dll file is digitally signed by a certificate from AirVPN.[55] |
S0148 | RTM |
RTM samples have been signed with a code-signing certificates.[56] |
G0091 | Silence |
Silence has used a valid certificate to sign their primary loader Silence.Downloader (aka TrueBot).[57] |
S0646 | SpicyOmelette |
SpicyOmelette has been signed with valid digital certificates.[58] |
S0491 | StrongPity |
StrongPity has been signed with self-signed certificates.[53] |
S0603 | Stuxnet |
Stuxnet used a digitally signed driver with a compromised Realtek certificate.[59] |
G0039 | Suckfly |
Suckfly has used stolen certificates to sign its malware.[60] |
S0559 | SUNBURST |
SUNBURST was digitally signed by SolarWinds from March - May 2020.[6] |
G0092 | TA505 |
TA505 has signed payloads with code signing certificates from Thawte and Sectigo.[61][62][63] |
S0266 | TrickBot | |
G0044 | Winnti Group |
Winnti Group used stolen certificates to sign its malware.[64] |
G0102 | Wizard Spider |
Wizard Spider has used Digicert code-signing certificates for some of its malware.[65] |
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
ID | Data Source | Data Component |
---|---|---|
DS0022 | File | File Metadata |
Collect and analyze signing certificate metadata on software that executes within the environment to look for unusual certificate characteristics and outliers.