Thanks to all of our ATT&CKcon participants. All sessions are here, and individual presentations will be posted soon.

Code Signing

Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. [1] However, adversaries are known to use code signing certificates to masquerade malware and tools as legitimate binaries [2]. The certificates used during an operation may be created, forged, or stolen by the adversary. [3] [4]

Code signing to verify software on first run can be used on modern Windows and macOS/OS X systems. It is not used on Linux due to the decentralized nature of the platform. [1]

Code signing certificates may be used to bypass security policies that require signed code to execute on a system.

ID: T1116

Tactic: Defense Evasion

Platform:  macOS, Windows

Data Sources:  Binary file metadata

Defense Bypassed:  Windows User Account Control

Version: 1.0

Examples

NameDescription
APT37

APT37 has signed its malware with an invalid digital certificates listed as "Tencent Technology (Shenzhen) Company Limited."[5]

BADNEWS

BADNEWS is sometimes signed with an invalid Authenticode certificate in an apparent effort to make it look more legitimate.[6]

ChChes

ChChes samples were digitally signed with a certificate originally used by Hacking Team that was later leaked and subsequently revoked.[7][8][9]

CopyKittens

CopyKittens digitally signed an executable with a stolen certificate from legitimate company AI Squared.[10]

Darkhotel

Darkhotel has used code-signing certificates on its malware that are either forged due to weak keys or stolen.[11]

Daserf

Some Daserf samples were signed with a stolen digital certificate.[12]

Epic

Turla has used valid digital certificates from Sysprint AG to sign its Epic dropper.[13]

FIN7

FIN7 has signed Carbanak payloads with legally purchased code signing certificates. FIN7 has also digitally signed their phishing documents, backdoors and other staging tools to bypass security controls.[14][15]

Gazer

Gazer versions are signed with various valid certificates; one was likely faked and issued by Comodo for "Solid Loop Ltd," and another was issued for "Ultimate Computer Support Ltd."[16][17]

Helminth

Helminth samples have been signed with legitimate, compromised code signing certificates owned by software company AI Squared.[18]

Honeybee

Honeybee uses a dropper called MaoCheng that harvests a stolen digital signature from Adobe Systems.[19]

Janicab

Janicab used a valid AppleDeveloperID to sign the code to get past security restrictions.[2]

Leviathan

Leviathan has used stolen code signing certificates used to sign malware.[20]

Molerats

Molerats has used forged Microsoft code-signing certificates on malware.[21]

Nerex

Nerex drops a signed Microsoft DLL to disk.[22]

NETWIRE

The NETWIRE client has been signed by fake and invalid digital certificates.[23]

QuasarRAT

A QuasarRAT .dll file is digitally signed by a certificate from AirVPN.[24]

Regin

Regin stage 1 modules for 64-bit systems have been found to be signed with fake certificates masquerading as originating from Microsoft Corporation and Broadcom Corporation.[25]

RTM

RTM samples have been signed with a code-signing certificates.[26]

SDelete

SDelete is digitally signed by Microsoft.[27]

Suckfly

Suckfly has used stolen certificates to sign its malware.[28]

Winnti Group

Winnti Group used stolen certificates to sign its malware.[29]

Mitigation

Process whitelisting and trusted publishers to verify authenticity of software can help prevent signed malicious or untrusted code from executing on a system. [30] [31] [3]

Detection

Collect and analyze signing certificate metadata on software that executes within the environment to look for unusual certificate characteristics and outliers.

References

  1. Wikipedia. (2015, November 10). Code Signing. Retrieved March 31, 2016.
  2. Thomas. (2013, July 15). New signed malware called Janicab. Retrieved July 17, 2017.
  3. Ladikov, A. (2015, January 29). Why You Shouldn’t Completely Trust Files Signed with Digital Certificates. Retrieved March 31, 2016.
  4. Shinotsuka, H. (2013, February 22). How Attackers Steal Private Keys from Digital Certificates. Retrieved March 31, 2016.
  5. Raiu, C., and Ivanov, A. (2016, June 17). Operation Daybreak. Retrieved February 15, 2018.
  6. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.
  7. Miller-Osborn, J. and Grunzweig, J.. (2017, February 16). menuPass Returns with New Malware and New Attacks Against Japanese Academics and Organizations. Retrieved March 1, 2017.
  8. Nakamura, Y.. (2017, February 17). ChChes - Malware that Communicates with C&C Servers Using Cookie Headers. Retrieved March 1, 2017.
  9. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
  10. ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017.
  11. Kaspersky Lab's Global Research and Analysis Team. (2014, November). The Darkhotel APT A Story of Unusual Hospitality. Retrieved November 12, 2014.
  12. DiMaggio, J. (2016, April 28). Tick cyberespionage group zeros in on Japan. Retrieved July 16, 2018.
  13. Kaspersky Lab's Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014.
  14. Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018.
  15. Carr, N., et al. (2018, August 01). On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation. Retrieved August 23, 2018.
  16. ESET. (2017, August). Gazing at Gazer: Turla’s new second stage backdoor. Retrieved September 14, 2017.
  1. Kaspersky Lab's Global Research & Analysis Team. (2017, August 30). Introducing WhiteBear. Retrieved September 21, 2017.
  2. ClearSky Cybersecurity. (2017, January 5). Iranian Threat Agent OilRig Delivers Digitally Signed Malware, Impersonates University of Oxford. Retrieved May 3, 2017.
  3. Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.
  4. FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
  5. Villeneuve, N., Haq, H., Moran, N. (2013, August 23). OPERATION MOLERATS: MIDDLE EAST CYBER ATTACKS USING POISON IVY. Retrieved April 1, 2016.
  6. Ladley, F. (2012, May 15). Backdoor.Nerex. Retrieved February 23, 2018.
  7. McAfee. (2015, March 2). Netwire RAT Behind Recent Targeted Attacks. Retrieved February 15, 2018.
  8. Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018.
  9. Kaspersky Lab's Global Research and Analysis Team. (2014, November 24). THE REGIN PLATFORM NATION-STATE OWNAGE OF GSM NETWORKS. Retrieved December 1, 2014.
  10. Faou, M. and Boutin, J.. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
  11. Russinovich, M. (2016, July 4). SDelete v2.0. Retrieved February 8, 2018.
  12. DiMaggio, J.. (2016, March 15). Suckfly: Revealing the secret life of your code signing certificates. Retrieved August 3, 2016.
  13. Kaspersky Lab's Global Research and Analysis Team. (2013, April 11). Winnti. More than just a game. Retrieved February 8, 2017.
  14. NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.
  15. Microsoft. (n.d.). Manage Trusted Publishers. Retrieved March 31, 2016.