Full Report
Cybercriminals are abusing Microsoft's Trusted Signing platform to code-sign malware executables with short-lived three-day certificates. [...]
Analysis Summary
# Tool/Technique: Microsoft Trusted Signing Service Abuse
## Overview
This summary outlines the abuse of Microsoft's Trusted Signing service to obtain valid digital code-signing certificates for the purpose of signing or distributing malware. Threat actors are leveraging this service due to its perceived simpler verification process compared to traditional Extended Validation (EV) certificates.
## Technical Details
- Type: Technique (Abuse of Legitimate Service)
- Platform: Windows (as code signing is typically for Windows executables/components)
- Capabilities: Allows threat actors to sign malware binaries with a seemingly legitimate and trusted Microsoft signature, increasing the likelihood of execution by bypassing security warnings.
- First Seen: The information implies this is an ongoing or recently observed campaign pattern, though a specific start date for the *abuse* is not provided in this snippet.
## MITRE ATT&CK Mapping
The core technique described relates to leveraging legitimate software functionality to mask malicious intent. While the article doesn't provide explicit mappings, the primary intent falls under Defense Evasion and potentially Supply Chain Compromise tactics:
- **TA0005 - Defense Evasion**
- T1562 - Impair Defenses
- *Specific technique related to using trusted identities to bypass security checks.* (While T1562.005 Digital Certificate might apply, the focus here is leveraging the service itself.)
- **TA0007 - Discovery** (Less direct, but relates to understanding requirements)
- T1521 - Software Discovery (Inferring through process of finding an easier alternative to EV certs)
*(Note: A more specific mapping based on the result—signed malware—would be T16DA0.004 Code Signing Policy Misuse if a specific formal technique existed for this service abuse.)*
## Functionality
### Core Capabilities
- Issuing trusted code-signing certificates through the Azure Trusted Signing service.
- Offering a potentially easier and faster verification path for individuals seeking code-signing certificates than traditional EV certificates.
### Advanced Features
- The service allows validation against company identity requirements (3 years in business) or a simpler path for individuals signing under their own name.
- The resulting signed binaries benefit from the inherent trust placed in Microsoft-signed code by Windows operating systems and security products.
## Indicators of Compromise
The provided context focuses on the **mechanism of abuse** rather than specific malware samples or C2 infrastructure related to the payloads signed by these certificates.
- File Hashes: [Not Provided in Context]
- File Names: [Not Provided in Context, but would be the malware executable/DLLs signed.]
- Registry Keys: [Not Provided in Context]
- Network Indicators: [Not Provided in Context]
- Behavioral Indicators: [Execution of digitally signed binaries that exhibit malicious behavior.]
## Associated Threat Actors
The article refers generally to **"threat actors"** who are leveraging this service for convenience and to bypass stricter EV certificate requirements. No specific named threat groups are identified within this excerpt.
## Detection Methods
Microsoft claims to use the following detection mechanisms:
- Signature-based detection: Microsoft's antimalware products detect the malware samples.
- Behavioral detection: Monitoring for misuse or abuse of the signing service.
- YARA rules: [Not Provided in Context]
## Mitigation Strategies
Based on Microsoft's response and the context of the abuse:
- **Certificate Revocation:** Immediate revocation of certificates found to be misused.
- **Account Suspension:** Suspended accounts associated with the abusive signing activity.
- **Threat Intelligence Monitoring:** Continuous active monitoring for misuse of the signing service.
- **Policy Management:** Microsoft imposes stricter duration requirements (3 years in business) for certificates issued under a company name.
## Related Tools/Techniques
- **Extended Validation (EV) Certificates:** Threat actors appear to be switching away from traditional EV certificates due to clarity issues surrounding Microsoft's announced changes to EV standards, viewing the Trusted Signing process as a simpler alternative.
- **Code Signing Certificates:** The general use of any legitimate code-signing certificate to mask malicious intent.