Movatterモバイル変換

[0]ホーム
URL:

  1. Home
  2. Techniques
  3. Enterprise
  4. Obtain Capabilities
  5. Code Signing Certificates

Obtain Capabilities: Code Signing Certificates

Adversaries may buy and/or steal code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Code signing provides a level of authenticity for a program from the developer and a guarantee that the program has not been tampered with.[1] Users and/or security tools may trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is.

Prior toCode Signing, adversaries may purchase or steal code signing certificates for use in operations. The purchase of code signing certificates may be done using a front organization or using information stolen from a previously compromised entity that allows the adversary to validate to a certificate provider as that entity. Adversaries may also steal code signing materials directly from a compromised third-party.

ID: T1588.003
Sub-technique of: T1588
Platforms: PRE
Version: 1.1
Created: 01 October 2020
Last Modified: 24 October 2025

Procedure Examples

IDNameDescription
C0040 APT41 DUST

APT41 DUST used stolen code signing certificates to signDUSTTRAP malware and components.[2]

G0098 BlackTech

BlackTech has used stolen code-signing certificates for its malicious payloads.[3]

G0061 FIN8

FIN8 has used an expired open-source X.509 certificate for testing in the OpenSSL repository, to connect to actor-controlled C2 servers.[4]

C0038 HomeLand Justice

DuringHomeLand Justice, threat actors used tools with legitimate code signing certificates.[5]

G0094 Kimsuky

Kimsuky has stolen a valid certificate that is used to sign the malware and the dropper.[6]

S0576 MegaCortex

MegaCortex has used code signing certificates issued to fake companies to bypass security controls.[7]

G0129 Mustang Panda

Mustang Panda has used revoked code signing certificates for its malicious payloads.[8]

G0049 OilRig

OilRig has obtained stolen code signing certificates to digitally sign malware.[9]

C0022 Operation Dream Job

DuringOperation Dream Job,Lazarus Group used code signing certificates issued by Sectigo RSA for some of its malware and tools.[10]

G0027 Threat Group-3390

Threat Group-3390 has obtained stolen valid certificates, including from VMProtect and the Chinese instant messaging application Youdu, for their operations.[11]

G0102 Wizard Spider

Wizard Spider has obtained code signing certificates signed by DigiCert, GlobalSign, and COMOOD for malware payloads.[12][13]

Mitigations

IDMitigationDescription
M1056 Pre-compromise

This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.

Detection Strategy

IDNameAnalytic IDAnalytic Description
DET0875Detection of Code Signing CertificatesAN2007

Consider analyzing code signing certificates for features that may be associated with the adversary and/or their developers, such as the thumbprint, algorithm used, validity period, common name, and certificate authority. Malware repositories can also be used to identify additional samples associated with the adversary and identify patterns an adversary has used in procuring code signing certificates.
Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related follow-on behavior, such asCode Signing orInstall Root Certificate.

References

  1. Wikipedia. (2015, November 10). Code Signing. Retrieved March 31, 2016.
  2. Mike Stokkel et al. (2024, July 18). APT41 Has Arisen From the DUST. Retrieved September 16, 2024.
  3. Threat Intelligence. (2020, September 29). Palmerworm: Espionage Gang Targets the Media, Finance, and Other Sectors. Retrieved March 25, 2022.
  4. Budaca, E., et al. (2021, August 25). FIN8 Threat Actor Goes Agile with New Sardonic Backdoor. Retrieved August 9, 2023.
  5. CISA. (2022, September 23). AA22-264A Iranian State Actors Conduct Cyber Operations Against the Government of Albania. Retrieved August 6, 2024.
  6. Jiho Kim & Sebin Lee, S2W. (2024, February 7). Kimsuky disguised as a Korean company signed with a valid certificate to distribute Troll Stealer (English ver.). Retrieved January 17, 2025.
  7. Del Fierro, C. Kessem, L.. (2020, January 8). From Mega to Giga: Cross-Version Comparison of Top MegaCortex Modifications. Retrieved February 15, 2021.
  1. Sudeep Singh. (2025, April 16). Latest Mustang Panda Arsenal: PAKLOG, CorKLOG, and SplatCloak | P2. Retrieved September 12, 2025.
  2. ClearSky Cybersecurity. (2017, January 5). Iranian Threat Agent OilRig Delivers Digitally Signed Malware, Impersonates University of Oxford. Retrieved May 3, 2017.
  3. Breitenbacher, D and Osis, K. (2020, June 17). OPERATION IN(TER)CEPTION: Targeted Attacks Against European Aerospace and Military Companies. Retrieved December 20, 2021.
  4. Daniel Lunghi. (2023, March 1). Iron Tiger’s SysUpdate Reappears, Adds Linux Targeting. Retrieved March 20, 2023.
  5. The DFIR Report. (2020, November 5). Ryuk Speed Run, 2 Hours to Ransom. Retrieved November 6, 2020.
  6. Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023.
×
[8]ページ先頭
©2009-2026 Movatter.jp