- Trusted Signing, a Microsoft certificate-signing service, is being abused by criminals, researchers are saying
- The criminals are signing malware with short-lived, three-day certificates
- Microsoft is actively monitoring for certificate abuse
Cybersecurity experts have warned Trusted Signing, Microsoft’s code-signing platform, is being abused to grant malware certificates and help it bypass endpoint protection and antivirus programs.
Certificates are digital credentials that verify the authenticity, integrity, and security of software. They use cryptographic keys to establish secure communications and prevent tampering or impersonation, and are considered crucial for encrypting sensitive data, ensuring secure transactions, and maintaining user trust. In software development, code-signing certificates validate that an application has not been altered after release.
Microsoft describes Trusted Signing as a, “fully managed, end-to-end signing solution that simplifies the certificate signing process and helps partner developers more easily build and distribute applications.”
Lumma Stealer and others
However, BleepingComputer reports multiple researchers observing threat actors using Trusted Signing to sign their malware with “short-lived, three-day code-signing certificates”.
Software signed this way will remain valid until the certificate is revoked, which suggests that the malware could successfully bypass security solutions for a lot longer.
The malware samples they analyzed were signed by “Microsoft ID Verified CS EOC CA 01,” it was said.
Among the campaigns abusing Microsoft are Crazy Evil Traffers’ crypto heist, and Lumma Stealer.
One of the ways Microsoft seems to be tackling this issue is to only allow certificates to be issued under the name of a company that’s been operational for at least three years.
However, individuals can sign up and get faster approval, if the certificate is issued under their name.
Microsoft says it is constantly monitoring the landscape and revoking certificates that were found to have been abused.
“When we detect threats we immediately mitigate with actions such as broad certificate revocation and account suspension. The malware samples you shared are detected by our antimalware products and we have already taken action to revoke the certificates and prevent further account abuse,” the company noted.
Leave a comment