Subvert Trust Controls: Code Signing, Sub-technique T1553.002 - Enterprise (original) (raw)
Although the X_TRADER platform was reportedly discontinued in 2020, it was still available for download from the legitimate Trading Technologies website in 2022. During the 3CX Supply Chain Attack, AppleJeus used a code signing certificate to digitally sign the malicious software with an expiration date set to October 2022. This file was signed with the subject "Trading Technologies International, Inc" and contained the executable file Setup.exe, also signed with the same digital certificate.[5][6]
Anchor has been signed with valid certificates to evade detection by security tools.[7]
AppleJeus has used a valid digital signature from Sectigo to appear legitimate.[8]
APT41 leveraged code-signing certificates to sign malware when targeting both gaming and non-gaming organizations.[9][10]
APT41 DUST used stolen code signing certificates for DUSTTRAP malware and subsequent payloads.[11]
BackConfig has been signed with self signed digital certificates mimicking a legitimate software company.[12]
Bandook was signed with valid Certum certificates.[13]
Bazar has been signed with fake certificates including those appearing to be from VB CORPORATE PTY. LTD.[14]
The Black Basta dropper has been digitally signed with a certificate issued by Akeo Consulting for legitimate executables used for creating bootable USB drives.[15]
BLINDINGCAN has been signed with code-signing certificates such as CodeRipper.[16]
BOOKWORM has used valid legitimate digital signatures and certificates to evade detection. [17]
BOOSTWRITE has been signed by a valid CA.[18]
For C0015, the threat actors used DLL files that had invalid certificates.[19]
ChChes samples were digitally signed with a certificate originally used by Hacking Team that was later leaked and subsequently revoked.[20][21][22]
CHIMNEYSWEEP has been dropped by a self-extracting archive signed with a valid digital certificate.[23]
Clop can use code signing to evade detection.[24]
Cobalt Strike can use self signed Java applets to execute signed applet attacks.[25][26]
CopyKittens digitally signed an executable with a stolen certificate from legitimate company AI Squared.[27]
CorKLOG has used legitimate signed binaries such as lcommute.exe for follow-on execution of malicious DLLs through DLL side-loading.[28]
CSPY Downloader has come signed with revoked certificates.[29]
Daggerfly has used signed, but not notarized, malicious files for execution in macOS environments.[30]
Darkhotel has used code-signing certificates on its malware that are either forged due to weak keys or stolen. Darkhotel has also stolen certificates and signed backdoors and downloaders with them.[31][32]
Some Daserf samples were signed with a stolen digital certificate.[33]
Ebury has installed a self-signed RPM package mimicking the original system package on RPM based systems.[34]
Ecipekac has used a valid, legitimate digital signature to evade detection.[35]
Turla has used valid digital certificates from Sysprint AG to sign its Epic dropper.[36]
FIN6 has used Comodo code-signing certificates.[37]
FIN7 has signed Carbanak payloads with legally purchased code signing certificates. FIN7 has also digitally signed their phishing documents, backdoors and other staging tools to bypass security controls.[38][39]
GALLIUM has used stolen certificates to sign its tools including those from Whizzimo LLC.[40]
Gazer versions are signed with various valid certificates; one was likely faked and issued by Comodo for "Solid Loop Ltd," and another was issued for "Ultimate Computer Support Ltd."[41][42]
GoBear uses stolen legitimate code signing certificates for defense evasion.[43][44]
GreyEnergy digitally signs the malware with a code-signing certificate.[45]
Helminth samples have been signed with legitimate, compromised code signing certificates owned by software company AI Squared.[46]
The HermeticWiper executable has been signed with a legitimate certificate issued to Hermetica Digital Ltd.[47][48][49][50]
HermeticWizard has been signed by valid certificates assigned to Hermetica Digital.[51]
Janicab used a valid AppleDeveloperID to sign the code to get past security restrictions.[52]
Kimsuky has signed files with the name EGIS CO,. Ltd. and has stolen a valid certificate that is used to sign the malware and the dropper.[53][43]
Lazarus Group has digitally signed malware and utilities to evade detection.[54]
Leviathan has used stolen code signing certificates to sign malware.[55][56]
LockerGoga has been signed with stolen certificates in order to make it look more legitimate.[57]
LuminousMoth has signed their malware with a valid digital signature.[58]
Lumma Stealer has used valid code signing digital certificates from ConsolHQ LTD and Verandah Green Limited to appear legitimate.[59]
MacMa has been delivered using ad hoc Apple Developer code signing certificates.[60]
Medusa Group has utilized vulnerable or signed drivers to kill or delete services associated with endpoint detection and response (EDR) tools.[61]
menuPass has resized and added data to the certificate table to enable the signing of modified files with legitimate signatures.[35]
Metamorfo has digitally signed executables using AVAST Software certificates.[62]
MirrorFace has abused a known Microsoft digital signature verification issues to append encrypted data to digital signatures that still appear to be validly signed.[63]
Molerats has used forged Microsoft code-signing certificates on malware.[64]
More_eggs has used a signed binary shellcode loader and a signed Dynamic Link Library (DLL) to create a reverse shell.[37]
Moses Staff has used signed drivers from an open source tool called DiskCryptor to evade detection.[65]
Mustang Panda has used valid legitimate digital signatures and certificates to evade detection.[66][67][68][17][69][70][28][71]
Nerex drops a signed Microsoft DLL to disk.[72]
OilRig has signed its malware with stolen certificates.[46]
During Operation AkaiRyƫ, MirrorFace abused a signed McAfee executable to load UPPERCUT.[73]
During Operation Dream Job, Lazarus Group digitally signed their own malware to evade detection.[74]
During Operation Honeybee, the threat actors deployed the MaoCheng dropper with a stolen Adobe Systems digital signature.[75]
PAKLOG has used legitimate signed binaries such as PACLOUD.exe for follow-on execution of malicious DLLs through DLL Side-Loading.[28]
Patchwork has signed malware with self-signed certificates from fictitious and spoofed legitimate software companies.[12]
PipeMon, its installer, and tools are signed with stolen code-signing certificates.[76]
PROMETHIUM has signed code with self-signed certificates.[77]
PUBLOAD has used valid legitimate digital signatures and certificates to evade detection.[66]
QakBot can use signed loaders to evade detection.[78][79]
A QuasarRAT .dll file is digitally signed by a certificate from AirVPN.[80]
RedDelta Modified PlugX Infection Chain Operations
Mustang Panda used legitimate, signed binaries such as inkform.exe or ExcelRepairToolboxLauncher.exe for follow-on execution of malicious DLLs through DLL search order hijacking in RedDelta Modified PlugX Infection Chain Operations.[81]
RedLine Stealer has used both valid certificates and self-signed digital certificates to appear legitimate.[82]
ROADSWEEP has been digitally signed with a certificate issued to the Kuwait Telecommunications Company KSC.[83]
RTM samples have been signed with a code-signing certificates.[84]
Saint Bear has used an initial loader malware featuring a legitimate code signing certificate associated with "Electrum Technologies GmbH."[85]
Scattered Spider has used self-signed and stolen certificates originally issued to NVIDIA and Global Software LLC.[86]
Silence has used a valid certificate to sign their primary loader Silence.Downloader (aka TrueBot).[87]
During the SolarWinds Compromise, APT29 was able to get SUNBURST signed by SolarWinds code signing certificates by injecting the malware into the SolarWinds Orion software lifecycle.[88]
SPAWNCHIMERA has generated RSA keys against modified files to sign the manifest file, so they appear legitimate.[89][90]
SpicyOmelette has been signed with valid digital certificates.[91]
SplatDropper has used legitimate signed binaries such as BugSplatHD64.exe for follow-on execution of malicious DLLs through DLL side-loading.[28]
STATICPLUGIN has been signed with a valid Certificate Authority(CA) to circumvent endpoint defenses.[68]
StrelaStealer variants have used valid code signing certificates.[92]
StrongPity has been signed with self-signed certificates.[77]
Stuxnet used a digitally signed driver with a compromised Realtek certificate.[93]
Suckfly has used stolen certificates to sign its malware.[94]
SUNBURST was digitally signed by SolarWinds from March - May 2020.[88]
SysUpdate has been signed with stolen digital certificates.[95]
TA505 has signed payloads with code signing certificates from Thawte and Sectigo.[96][97][98]
TONESHELL has used valid legitimate digital signatures and certificates to evade detection.[66]
TrickBot has come with a signed downloader component.[7]
Troll Stealer, along with its associated dropper, utilizes legitimate, stolen code signing certificates.[43][99]
Winnti Group used stolen certificates to sign its malware.[100]
Wizard Spider has used Digicert code-signing certificates for some of its malware.[101]
ZeroCleare can deploy a vulnerable, signed driver on a compromised host to bypass operating system safeguards.[102]