Skip to content

T1553.002 Code Signing

Adversaries may create, acquire, or steal code signing materials to sign their malware or tools. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. 1 The certificates used during an operation may be created, acquired, or stolen by the adversary. 2 3 Unlike Invalid Code Signature, this activity will result in a valid signature.

Code signing to verify software on first run can be used on modern Windows and macOS/OS X systems. It is not used on Linux due to the decentralized nature of the platform. 1

Code signing certificates may be used to bypass security policies that require signed code to execute on a system.

Item Value
ID T1553.002
Sub-techniques T1553.001, T1553.002, T1553.003, T1553.004, T1553.005, T1553.006
Tactics TA0005
Platforms Windows, macOS
Version 1.0
Created 05 February 2020
Last Modified 10 February 2020

Procedure Examples

ID Name Description
S0504 Anchor Anchor has been signed with valid certificates to evade detection by security tools.14
S0584 AppleJeus AppleJeus has used a valid digital signature from Sectigo to appear legitimate.38
G0016 APT29 APT29 was able to get SUNBURST signed by SolarWinds code signing certificates by injecting the malware into the SolarWinds Orion software lifecycle.26
G0096 APT41 APT41 leveraged code-signing certificates to sign malware when targeting both gaming and non-gaming organizations.5354
S0475 BackConfig BackConfig has been signed with self signed digital certificates mimicking a legitimate software company.21
S0234 Bandook Bandook was signed with valid Certum certificates.43
S0534 Bazar Bazar has been signed with fake certificates including those appearing to be from VB CORPORATE PTY. LTD.16
S0520 BLINDINGCAN BLINDINGCAN has been signed with code-signing certificates such as CodeRipper.11
S0415 BOOSTWRITE BOOSTWRITE has been signed by a valid CA.22
S0144 ChChes ChChes samples were digitally signed with a certificate originally used by Hacking Team that was later leaked and subsequently revoked.282930
S0611 Clop Clop can use code signing to evade detection.27
S0154 Cobalt Strike Cobalt Strike can use self signed Java applets to execute signed applet attacks.3536
G0052 CopyKittens CopyKittens digitally signed an executable with a stolen certificate from legitimate company AI Squared.50
S0527 CSPY Downloader CSPY Downloader has come signed with revoked certificates.4
G0012 Darkhotel Darkhotel has used code-signing certificates on its malware that are either forged due to weak keys or stolen. Darkhotel has also stolen certificates and signed backdoors and downloaders with them.4849
S0187 Daserf Some Daserf samples were signed with a stolen digital certificate.13
S0377 Ebury Ebury has installed a self-signed RPM package mimicking the original system package on RPM based systems.19
S0624 Ecipekac Ecipekac has used a valid, legitimate digital signature to evade detection.25
S0091 Epic Turla has used valid digital certificates from Sysprint AG to sign its Epic dropper.8
G0037 FIN6 FIN6 has used Comodo code-signing certificates.40
G0046 FIN7 FIN7 has signed Carbanak payloads with legally purchased code signing certificates. FIN7 has also digitally signed their phishing documents, backdoors and other staging tools to bypass security controls.5152
G0093 GALLIUM GALLIUM has used stolen certificates to sign its tools including those from Whizzimo LLC.64
S0168 Gazer Gazer versions are signed with various valid certificates; one was likely faked and issued by Comodo for “Solid Loop Ltd,” and another was issued for “Ultimate Computer Support Ltd.”67
S0342 GreyEnergy GreyEnergy digitally signs the malware with a code-signing certificate.37
S0170 Helminth Helminth samples have been signed with legitimate, compromised code signing certificates owned by software company AI Squared.42
S0697 HermeticWiper The HermeticWiper executable has been signed with a legitimate certificate issued to Hermetica Digital Ltd.31323334
S0698 HermeticWizard HermeticWizard has been signed by valid certificates assigned to Hermetica Digital.24
G0072 Honeybee Honeybee uses a dropper called MaoCheng that harvests a stolen digital signature from Adobe Systems.55
S0163 Janicab Janicab used a valid AppleDeveloperID to sign the code to get past security restrictions.39
G0094 Kimsuky Kimsuky has signed files with the name EGIS CO,. Ltd..61
G0032 Lazarus Group Lazarus Group has digitally signed malware and utilities to evade detection.5657
G0065 Leviathan Leviathan has used stolen code signing certificates to sign malware.5859
S0372 LockerGoga LockerGoga has been signed with stolen certificates in order to make it look more legitimate.18
G0045 menuPass menuPass has resized and added data to the certificate table to enable the signing of modified files with legitimate signatures.25
S0455 Metamorfo Metamorfo has digitally signed executables using AVAST Software certificates.20
G0021 Molerats Molerats has used forged Microsoft code-signing certificates on malware.63
S0284 More_eggs More_eggs has used a signed binary shellcode loader and a signed Dynamic Link Library (DLL) to create a reverse shell.40
S0210 Nerex Nerex drops a signed Microsoft DLL to disk.12
G0040 Patchwork Patchwork has signed malware with self-signed certificates from fictitious and spoofed legitimate software companies.21
S0501 PipeMon PipeMon, its installer, and tools are signed with stolen code-signing certificates.41
G0056 PROMETHIUM PROMETHIUM has signed code with self-signed certificates.17
S0650 QakBot QakBot can use signed loaders to evade detection.9
S0262 QuasarRAT A QuasarRAT .dll file is digitally signed by a certificate from AirVPN.5
S0148 RTM RTM samples have been signed with a code-signing certificates.23
G0091 Silence Silence has used a valid certificate to sign their primary loader Silence.Downloader (aka TrueBot).65
S0646 SpicyOmelette SpicyOmelette has been signed with valid digital certificates.10
S0491 StrongPity StrongPity has been signed with self-signed certificates.17
S0603 Stuxnet Stuxnet used a digitally signed driver with a compromised Realtek certificate.15
G0039 Suckfly Suckfly has used stolen certificates to sign its malware.62
S0559 SUNBURST SUNBURST was digitally signed by SolarWinds from March - May 2020.26
G0092 TA505 TA505 has signed payloads with code signing certificates from Thawte and Sectigo.444546
S0266 TrickBot TrickBot has come with a signed downloader component.14
G0044 Winnti Group Winnti Group used stolen certificates to sign its malware.60
G0102 Wizard Spider Wizard Spider has used Digicert code-signing certificates for some of its malware.47

Detection

ID Data Source Data Component
DS0022 File File Metadata

References

  1. Wikipedia. (2015, November 10). Code Signing. Retrieved March 31, 2016. 

  2. Ladikov, A. (2015, January 29). Why You Shouldn’t Completely Trust Files Signed with Digital Certificates. Retrieved March 31, 2016. 

  3. Shinotsuka, H. (2013, February 22). How Attackers Steal Private Keys from Digital Certificates. Retrieved March 31, 2016. 

  4. Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020. 

  5. Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018. 

  6. ESET. (2017, August). Gazing at Gazer: Turla’s new second stage backdoor. Retrieved September 14, 2017. 

  7. Kaspersky Lab’s Global Research & Analysis Team. (2017, August 30). Introducing WhiteBear. Retrieved September 21, 2017. 

  8. Kaspersky Lab’s Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014. 

  9. Morrow, D. (2021, April 15). The rise of QakBot. Retrieved September 27, 2021. 

  10. CTU. (2018, September 27). Cybercriminals Increasingly Trying to Ensnare the Big Financial Fish. Retrieved September 20, 2021. 

  11. US-CERT. (2020, August 19). MAR-10295134-1.v1 – North Korean Remote Access Trojan: BLINDINGCAN. Retrieved August 19, 2020. 

  12. Ladley, F. (2012, May 15). Backdoor.Nerex. Retrieved February 23, 2018. 

  13. DiMaggio, J. (2016, April 28). Tick cyberespionage group zeros in on Japan. Retrieved July 16, 2018. 

  14. Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020. 

  15. Nicolas Falliere, Liam O. Murchu, Eric Chien. (2011, February). W32.Stuxnet Dossier. Retrieved December 7, 2020. 

  16. Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9’S DEVELOPMENT CYCLES. Retrieved November 18, 2020. 

  17. Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020. 

  18. Greenberg, A. (2019, March 25). A Guide to LockerGoga, the Ransomware Crippling Industrial Firms. Retrieved July 17, 2019. 

  19. M.Léveillé, M.. (2014, February 21). An In-depth Analysis of Linux/Ebury. Retrieved April 19, 2019. 

  20. Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020. 

  21. Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020. 

  22. Carr, N, et all. (2019, October 10). Mahalo FIN7: Responding to the Criminal Operators’ New Tools and Techniques. Retrieved October 11, 2019. 

  23. Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017. 

  24. ESET. (2022, March 1). IsaacWiper and HermeticWizard: New wiper and worm targetingUkraine. Retrieved April 10, 2022. 

  25. GREAT. (2021, March 30). APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign. Retrieved June 17, 2021. 

  26. FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021. 

  27. Santos, D. (2021, April 13). Threat Assessment: Clop Ransomware. Retrieved July 30, 2021. 

  28. Nakamura, Y.. (2017, February 17). ChChes - Malware that Communicates with C&C Servers Using Cookie Headers. Retrieved March 1, 2017. 

  29. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017. 

  30. Symantec Threat Hunter Team. (2022, February 24). Ukraine: Disk-wiping Attacks Precede Russian Invasion. Retrieved March 25, 2022. 

  31. Thomas, W. et al. (2022, February 25). CrowdStrike Falcon Protects from New Wiper Malware Used in Ukraine Cyberattacks. Retrieved March 25, 2022. 

  32. ESET. (2022, February 24). HermeticWiper: New data wiping malware hits Ukraine. Retrieved March 25, 2022. 

  33. Dani, M. (2022, March 1). Ukrainian Targets Hit by HermeticWiper, New Datawiper Malware. Retrieved March 25, 2022. 

  34. Mavis, N. (2020, September 21). The Art and Science of Detecting Cobalt Strike. Retrieved April 6, 2021. 

  35. Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021. 

  36. Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018. 

  37. Cybersecurity and Infrastructure Security Agency. (2021, February 21). AppleJeus: Analysis of North Korea’s Cryptocurrency Malware. Retrieved March 1, 2021. 

  38. Thomas. (2013, July 15). New signed malware called Janicab. Retrieved July 17, 2017. 

  39. Villadsen, O.. (2019, August 29). More_eggs, Anyone? Threat Actor ITG08 Strikes Again. Retrieved September 16, 2019. 

  40. Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti Group. Retrieved August 24, 2020. 

  41. ClearSky Cybersecurity. (2017, January 5). Iranian Threat Agent OilRig Delivers Digitally Signed Malware, Impersonates University of Oxford. Retrieved May 3, 2017. 

  42. Check Point. (2020, November 26). Bandook: Signed & Delivered. Retrieved May 31, 2021. 

  43. Salem, E. (2019, April 25). Threat Actor TA505 Targets Financial Enterprises Using LOLBins and a New Backdoor Malware. Retrieved May 28, 2019. 

  44. Vilkomir-Preisman, S. (2019, April 2). New ServHelper Variant Employs Excel 4.0 Macro to Drop Signed Payload. Retrieved May 28, 2019. 

  45. Hiroaki, H. and Lu, L. (2019, June 12). Shifting Tactics: Breaking Down TA505 Group’s Use of HTML, RATs and Other Techniques in Latest Campaigns. Retrieved May 29, 2020. 

  46. The DFIR Report. (2020, November 5). Ryuk Speed Run, 2 Hours to Ransom. Retrieved November 6, 2020. 

  47. Kaspersky Lab’s Global Research and Analysis Team. (2014, November). The Darkhotel APT A Story of Unusual Hospitality. Retrieved November 12, 2014. 

  48. Kaspersky Lab’s Global Research & Analysis Team. (2015, August 10). Darkhotel’s attacks in 2015. Retrieved November 2, 2018. 

  49. ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017. 

  50. Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018. 

  51. Carr, N., et al. (2018, August 01). On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation. Retrieved August 23, 2018. 

  52. Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019. 

  53. Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021. 

  54. Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018. 

  55. Breitenbacher, D and Osis, K. (2020, June 17). OPERATION IN(TER)CEPTION: Targeted Attacks Against European Aerospace and Military Companies. Retrieved December 20, 2021. 

  56. Saini, A. and Hossein, J. (2022, January 27). North Korea’s Lazarus APT leverages Windows Update client, GitHub in latest campaign. Retrieved January 27, 2022. 

  57. FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018. 

  58. Plan, F., et al. (2019, March 4). APT40: Examining a China-Nexus Espionage Actor. Retrieved March 18, 2019. 

  59. Kaspersky Lab’s Global Research and Analysis Team. (2013, April 11). Winnti. More than just a game. Retrieved February 8, 2017. 

  60. ThreatConnect. (2020, September 28). Kimsuky Phishing Operations Putting In Work. Retrieved October 30, 2020. 

  61. DiMaggio, J.. (2016, March 15). Suckfly: Revealing the secret life of your code signing certificates. Retrieved August 3, 2016. 

  62. Villeneuve, N., Haq, H., Moran, N. (2013, August 23). OPERATION MOLERATS: MIDDLE EAST CYBER ATTACKS USING POISON IVY. Retrieved April 1, 2016. 

  63. MSTIC. (2019, December 12). GALLIUM: Targeting global telecom. Retrieved January 13, 2021. 

  64. Group-IB. (2019, August). Silence 2.0: Going Global. Retrieved May 5, 2020. 

Back to top