Code Signing Certificates (T1587.002)
Code Signing Certificates [T1587.002]
Last updated
Code Signing Certificates [T1587.002]
Last updated
Name: Code Signing Certificates
ID: T1587.002
Tactics:
Technique:
Code Signing Certificates (MITRE ATT&CK sub-technique T1587.002) involve adversaries acquiring or misusing legitimate digital certificates to sign malicious code, software, or scripts. By signing malicious payloads, attackers can bypass security controls, evade detection, and gain trust from the operating system and end-users. This sub-technique is part of the broader ATT&CK technique "Develop Capabilities" (T1587), which deals with adversaries developing resources to support their operations.
Code signing certificates are cryptographic digital certificates issued by trusted Certificate Authorities (CAs) that validate the identity of software publishers and ensure software integrity. Attackers typically exploit this trust mechanism through the following methods:
Acquisition of Legitimate Certificates:
Attackers may register shell companies or fake identities to obtain legitimate code signing certificates from reputable certificate authorities.
They may also compromise legitimate organizations and steal their code signing certificates directly.
Misuse of Stolen Certificates:
Adversaries may breach software companies or developers and exfiltrate existing code signing certificates.
Stolen certificates are then used to digitally sign malicious software, making it appear legitimate.
Certificate Authority Compromise:
Attackers may directly compromise a Certificate Authority (CA) to generate valid certificates for malicious purposes.
Such attacks are rare but extremely impactful, as they undermine trust across the entire certificate ecosystem.
Certificate Forgery and Manipulation:
Attackers may exploit vulnerabilities in certificate validation processes or cryptographic weaknesses to produce fraudulent certificates or signatures.
Technical execution typically involves:
Using standard code signing tools (such as Microsoft's SignTool or OpenSSL) to digitally sign malicious binaries.
Embedding signed malicious code into legitimate software distribution channels or application updates.
Leveraging signed binaries to bypass application allow-listing and antivirus detection mechanisms.
Attackers commonly use code signing certificates at various stages of an attack lifecycle:
Initial Access and Delivery:
Malicious software signed with legitimate certificates can bypass security controls, such as antivirus, endpoint detection and response (EDR), and application allow-listing mechanisms.
Attackers distribute signed malware via phishing emails, malicious websites, or compromised software distribution channels.
Execution and Persistence:
Signed malicious binaries can execute with fewer security warnings and prompts, increasing the likelihood of successful deployment and persistence.
Attackers embed signed malware within legitimate software updates or installers to establish long-term footholds.
Privilege Escalation and Defense Evasion:
Signed malware can masquerade as trusted software, allowing attackers to escalate privileges or evade detection by security tools that rely on certificate validation.
Legitimate digital signatures reduce suspicion from security analysts and automated detection tools.
Supply Chain Attacks:
Attackers compromise legitimate software vendors and use their signing certificates to distribute malicious updates to end-users, significantly expanding the attack surface and impact.
Detection of malicious use of code signing certificates involves a combination of technical analysis, monitoring, and threat intelligence:
Certificate Reputation Analysis:
Monitoring and evaluating certificate reputation through third-party threat intelligence services and certificate transparency logs.
Identifying newly issued certificates or certificates associated with suspicious or unknown entities.
Endpoint Detection and Response (EDR):
Analyzing certificate metadata during endpoint file execution events.
Detecting unusual or anomalous certificate usage, such as certificates issued shortly before malware distribution or certificates not previously seen in the environment.
Application Allow-listing Tools:
Monitoring signed binaries and maintaining allow-lists based on known legitimate certificates.
Alerting on binaries signed with unknown or suspicious certificates.
Certificate Transparency Logs and Monitoring:
Continuously monitoring Certificate Transparency (CT) logs to identify fraudulent or suspicious certificates issued in the organization's name or related domains.
Leveraging automated CT monitoring tools to alert on suspicious certificate issuance.
Indicators of Compromise (IoCs):
Suspicious certificates appearing suddenly in software execution logs.
Certificates associated with known malicious campaigns or threat actors.
Certificates issued by compromised or suspect CAs.
Unexpected changes in software signing practices within an organization.
Early detection of malicious code signing certificate usage is critical due to the following impacts:
Security Bypass and Defense Evasion:
Signed malicious software can easily bypass endpoint security controls, antivirus solutions, and application allow-listing mechanisms, significantly reducing the effectiveness of traditional defenses.
Increased Trust and Reduced Suspicion:
End-users and automated security tools inherently trust signed software, increasing the likelihood of successful malware deployment and execution.
Supply Chain Compromise:
Attackers leveraging legitimate certificates can conduct widespread attacks through trusted software distribution channels, potentially affecting numerous organizations and end-users simultaneously.
Extended Persistence and Privilege Escalation:
Digitally signed malware can establish long-term persistence, escalate privileges, and evade detection, allowing attackers extended access and control over compromised environments.
Reputational Damage and Loss of Trust:
Organizations whose certificates are compromised face significant reputational damage and loss of customer trust.
Certificate authority compromises can have broad impacts on the trust ecosystem, affecting multiple organizations and end-users.
Real-world examples of attacks involving malicious use of code signing certificates include:
Stuxnet Attack (2010):
Attackers used stolen code signing certificates from legitimate companies (Realtek Semiconductor and JMicron Technology) to digitally sign malicious drivers.
Signed drivers enabled Stuxnet to bypass Windows security measures and infect targeted Iranian nuclear facilities.
Operation ShadowHammer (ASUS Supply Chain Attack, 2019):
Attackers compromised ASUS's software update infrastructure and used legitimate ASUS code signing certificates to distribute malicious updates to thousands of end-users.
The signed malware bypassed antivirus detection and allowed attackers to selectively target specific users.
CCleaner Supply Chain Attack (2017):
Attackers compromised Piriform's software development environment and used legitimate code signing certificates to distribute malware-infected versions of CCleaner to millions of users.
The signed malicious software evaded detection and provided attackers with access to targeted corporate networks.
APT41 and Video Game Industry Attacks (2012–2019):
Chinese threat actor APT41 repeatedly stole code signing certificates from video game developers, using them to sign malware and distribute it through legitimate channels.
Signed malware facilitated long-term persistence and evasion of detection mechanisms.
Winnti Group (Multiple Incidents, 2011–Present):
Winnti group routinely compromises software companies to steal code signing certificates.
Stolen certificates are used to sign malware and conduct supply chain attacks, targeting various industries globally.
These examples illustrate the significant risk posed by malicious use of code signing certificates, highlighting the importance of robust detection mechanisms and proactive monitoring.