T1588.003 Code Signing Certificates
Adversaries may buy and/or steal code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Code signing provides a level of authenticity for a program from the developer and a guarantee that the program has not been tampered with.1 Users and/or security tools may trust a signed piece of code more than an unsigned piece of code even if they don’t know who issued the certificate or who the author is.
Prior to Code Signing, adversaries may purchase or steal code signing certificates for use in operations. The purchase of code signing certificates may be done using a front organization or using information stolen from a previously compromised entity that allows the adversary to validate to a certificate provider as that entity. Adversaries may also steal code signing materials directly from a compromised third-party.
| Item | Value |
|---|---|
| ID | T1588.003 |
| Sub-techniques | T1588.001, T1588.002, T1588.003, T1588.004, T1588.005, T1588.006 |
| Tactics | TA0042 |
| Platforms | PRE |
| Version | 1.1 |
| Created | 01 October 2020 |
| Last Modified | 17 October 2021 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| G0098 | BlackTech | BlackTech has used stolen code-signing certificates for its malicious payloads.4 |
| G1003 | Ember Bear | Ember Bear has stolen legitimate certificates to sign malicious payloads.3 |
| S0576 | MegaCortex | MegaCortex has used code signing certificates issued to fake companies to bypass security controls.2 |
| C0022 | Operation Dream Job | During Operation Dream Job, Lazarus Group used code signing certificates issued by Sectigo RSA for some of its malware and tools.7 |
| G0027 | Threat Group-3390 | Threat Group-3390 has obtained stolen valid certificates, including from VMProtect and the Chinese instant messaging application Youdu, for their operations.5 |
| G0102 | Wizard Spider | Wizard Spider obtained a code signing certificate signed by Digicert for some of its malware.6 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1056 | Pre-compromise | This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0004 | Malware Repository | Malware Metadata |
References
-
Wikipedia. (2015, November 10). Code Signing. Retrieved March 31, 2016. ↩
-
Del Fierro, C. Kessem, L.. (2020, January 8). From Mega to Giga: Cross-Version Comparison of Top MegaCortex Modifications. Retrieved February 15, 2021. ↩
-
Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022. ↩
-
Threat Intelligence. (2020, September 29). Palmerworm: Espionage Gang Targets the Media, Finance, and Other Sectors. Retrieved March 25, 2022. ↩
-
Daniel Lunghi. (2023, March 1). Iron Tiger’s SysUpdate Reappears, Adds Linux Targeting. Retrieved March 20, 2023. ↩
-
The DFIR Report. (2020, November 5). Ryuk Speed Run, 2 Hours to Ransom. Retrieved November 6, 2020. ↩
-
Breitenbacher, D and Osis, K. (2020, June 17). OPERATION IN(TER)CEPTION: Targeted Attacks Against European Aerospace and Military Companies. Retrieved December 20, 2021. ↩