Code Signing

Information

• Name: Code Signing

• ID: T1553.002

• Tactics: TA0005

• Technique: T1553

Introduction

Code Signing (T1553.002) is a sub-technique in the MITRE ATT&CK framework under the broader category of Subvert Trust Controls (T1553). It involves adversaries misusing or compromising code signing certificates to sign malicious software, scripts, or executables, making them appear legitimate and trustworthy to end users, operating systems, and security solutions. By leveraging trusted digital signatures, attackers can bypass security controls, evade detection, and achieve persistence within compromised environments.

Deep Dive Into Technique

Code signing is a security measure designed to verify the authenticity and integrity of software. Legitimate developers sign their code using private keys associated with trusted digital certificates, providing assurance that the software has not been tampered with. Attackers exploiting this sub-technique typically follow one or more of these methods:

• Compromising Legitimate Certificates:

  • Attackers gain unauthorized access to legitimate organizations and steal valid code-signing certificates.

  • They utilize stolen certificates to sign malware, making it appear genuine and trustworthy.

• Forging or Fraudulently Obtaining Certificates:

  • Attackers may fraudulently register or obtain certificates by impersonating legitimate entities.

  • Fraudulent certificates are then used to sign malicious payloads, scripts, or executables.

• Misusing Internal Code Signing Infrastructure:

  • Attackers compromise internal code-signing infrastructure within an organization.

  • They leverage internal signing processes to sign malware, thus bypassing internal security checks.

Technical mechanisms involved include:

• Digital Signatures and Cryptographic Algorithms:

  • Attackers utilize standard cryptographic algorithms (RSA, ECC) to digitally sign malicious code.

  • Signed malware can bypass built-in operating system security controls, such as Windows SmartScreen or Gatekeeper on macOS.

• Timestamping:

  • Attackers may use timestamping services to ensure signatures appear valid even after certificate revocation.

  • Timestamping complicates detection and remediation efforts.

Real-world procedures include:

• Using signed malicious binaries to evade antivirus and endpoint detection and response (EDR) solutions.

• Distributing signed malware via phishing emails, malicious websites, or software updates.

• Leveraging signed drivers or kernel-mode components to achieve privileged access and persistence.

When this Technique is Usually Used

Attackers typically utilize the Code Signing sub-technique during various attack phases, including:

• Initial Access:

  • Distributing signed malware through phishing emails or malicious software downloads to establish initial footholds.

• Execution and Defense Evasion:

  • Running signed executables to bypass endpoint protection solutions, antivirus scanners, and application whitelisting policies.

• Persistence:

  • Deploying signed kernel-mode drivers or system services to achieve long-term persistence and evade detection.

• Privilege Escalation:

  • Using signed drivers or system-level executables to escalate privileges on compromised systems.

• Supply Chain Attacks:

  • Injecting malicious signed software updates into legitimate software distribution channels to target multiple organizations simultaneously.

How this Technique is Usually Detected

Detection of malicious use of code signing typically involves a combination of monitoring, analysis, and proactive measures. Common detection methods include:

• Certificate Reputation Monitoring:

  • Tracking and analyzing certificates used in signed binaries to detect anomalies or compromised certificates.

  • Utilizing public and private threat intelligence sources to identify known compromised certificates.

• Behavioral Analysis and Endpoint Detection:

  • Employing endpoint detection and response (EDR) solutions to identify suspicious behaviors from signed executables, such as unusual network connections, privilege escalation attempts, or persistence mechanisms.

  • Analyzing signed binaries for suspicious code patterns, packing techniques, or obfuscation.

• Certificate Transparency Log Monitoring:

  • Monitoring publicly available certificate transparency (CT) logs to detect unauthorized or fraudulent certificate issuance.

  • Identifying anomalous certificate issuances related to organizational domains or known legitimate entities.

• IOC-based Detection:

  • Leveraging known indicators of compromise (IoCs), such as hashes of malicious signed binaries, certificate serial numbers, issuer details, or timestamps.

  • Integrating IoCs into security information and event management (SIEM) platforms for rapid detection and response.

• Application Whitelisting and Control Policies:

  • Implementing strict application control policies that validate signatures against trusted certificate stores.

  • Detecting and alerting on binaries signed by unknown, suspicious, or revoked certificates.

Why it is Important to Detect This Technique

Early detection of malicious code signing is critical due to the significant security impacts it can cause, including:

• Trust and Security Control Bypass:

  • Signed malware can bypass built-in security controls, antivirus software, endpoint protection solutions, and application whitelisting policies.

  • Attackers gain easy execution of malicious payloads without triggering security alerts.

• Extended Persistence and Privilege Escalation:

  • Signed kernel-mode drivers and system-level executables grant attackers high-level privileges, enabling persistence and lateral movement within compromised networks.

  • Detecting and mitigating signed malware early prevents attackers from gaining deep-rooted persistence.

• Supply Chain Risks:

  • Compromised certificates and signed malicious updates can impact multiple organizations simultaneously, significantly amplifying attacker reach and damage.

  • Early detection limits the spread and impact of supply chain attacks.

• Reputational and Financial Damage:

  • Organizations whose certificates are compromised or misused face severe reputational harm, loss of customer trust, regulatory penalties, and financial losses.

  • Rapid detection and response minimize these impacts and preserve organizational integrity.

Examples

Real-world examples of malicious code signing include:

• Stuxnet (2010):

  • Attackers used stolen code-signing certificates from legitimate companies (Realtek, JMicron) to sign malicious drivers.

  • The signed malware bypassed security controls and infected nuclear facilities, causing physical damage to centrifuges.

• Operation ShadowHammer (ASUS Supply Chain Attack, 2019):

  • Attackers compromised ASUS's legitimate software update infrastructure and signed malicious software updates with legitimate ASUS certificates.

  • The attack affected thousands of ASUS users, demonstrating significant supply chain risks.

• NotPetya (2017):

  • Attackers compromised Ukrainian accounting software firm M.E.Doc and distributed malware signed with the company's legitimate certificate.

  • The signed malware bypassed security controls, rapidly spreading worldwide, causing billions of dollars in damages.

• D-Link Certificate Misuse (2018):

  • Attackers stole code-signing certificates from D-Link to sign the Plead malware.

  • Signed malware bypassed endpoint security solutions, infecting targeted organizations in East Asia.

• Winnti Group Attacks (Multiple Incidents, 2011–Present):

  • Winnti group consistently targeted gaming and software companies to steal legitimate certificates.

  • Signed malware facilitated long-term persistence, data exfiltration, and espionage activities.

These examples highlight attackers' persistent efforts to misuse code signing and underline the importance of robust detection, monitoring, and security practices.