Subvert Trust Controls: Code Signing

ID Name
VT0016.001 Install Root Certificate
VT0016.002 Code Signing

Before compromising a victim, adversaries may buy, steal or create code signing certificates to be used during targeting. Code signing is simply a guarantee that the code of a program or software download has not been modifies after it was signed by the publisher. Code Signing uses the same public key infrastructure (PKI) used in HTTPS to sign and verify a software program.[1]

Code signing provides a level of authenticity of a program and verifies the identity of the developer to guarantee that the program has not been tampered with.

Code signing is mostly used to verify software on first run on Windows and macOS/OS X operating systems. Users and security tools trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is.[2]

Adversaries may use code signing to sign their tools to appear and bypass security policies and controls that require signed code to execute on a system.

To obtain a code signing certificate, adversaries may take two approaches:

  • Develop Capabilities and create a self-signed certificate or purchase a certificate from a CA through the official channels using a front organization or using information stolen from a previously compromised entity that allows the adversary to validate to a CA as that entity.[2]

  • Obtain Capabilities and buy stolen code signing certificate, keys and credentials from online marketplaces or individuals offering crime-as-a-service or steal them from another victim in a prior attack.

Procedure Examples

Name Description
Adwind

Adwind uses a spoofing vulnerability (CVE-2020-1464) in Windows to distribute malicious files that are signed by Microsoft, Google, etc. and appear legitimate.

APT40

APT40 has uses stolen Code Signing certificates to sign its malware and tools.[3][4]

APT41

APT41 leveraged code-signing certificates to sign malware when targeting both gaming and non-gaming organizations.[5]

Ebury

Ebury has installed a self-signed RPM package mimicking the original system package on RPM based systems.[6]

PLEAD

PLEAD backdoor and information stealer are signed with stolen certificates from Taiwanese companies

Ratty

Ratty uses a spoofing vulnerability (CVE-2020-1464) in Windows to distribute malicious files that are signed by Microsoft, Google, etc. and appear legitimate.

SUNBURST

SUNBURST was digitally signed by SolarWinds signing certificate between March - May 2020.[7]

TrickBot

TrickBot is delivered with a signed downloader component.[8]

UNC1945

UNC1945 uses Code Signing certificates to sign its tools

UNC2452

UNC2452 was able to get SUNBURST signed by SolarWinds code signing certificate by replacing one of the source code files of the Orion software during build runtime. SUNBURST replaced a legitimate file by another tool existed on the build system SUNSPOT.

Winnti Group

Winnti Group used stolen certificates to sign its malware.[9]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

Collect and analyze signing certificate metadata on software that executes within the environment to look for unusual certificate characteristics and outliers.

References

Attachments

ID
VT0016.002
Sub-techniques
Tactic
Defense Evasion
Platforms
Windows
macOS
Data Sources
Binary file metadata
Defense Bypassed
Windows User Account Control
Version
1.0

Created: 22 December 2020

Last Modified: 22 December 2020