Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Техника Подпись исполняемого кода
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
EN
Риски
Каталоги
MITRE ATT&CK
Техника
Подпись исполняемого кода
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Subvert Trust Controls:  Подпись исполняемого кода

ID Название
.001 Обход Gatekeeper
.002 Подпись исполняемого кода
.003 Подмена поставщика доверия и SIP
.004 Установка корневого сертификата
.005 Mark-of-the-Web (MOTW)
.006 Изменение политики подписи кода

Adversaries may create, acquire, or steal code signing materials to sign their malware or tools. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. (Citation: Wikipedia Code Signing) The certificates used during an operation may be created, acquired, or stolen by the adversary. (Citation: Securelist Digital Certificates) (Citation: Symantec Digital Certificates) Unlike Invalid Code Signature, this activity will result in a valid signature. Code signing to verify software on first run can be used on modern Windows and macOS systems. It is not used on Linux due to the decentralized nature of the platform. (Citation: Wikipedia Code Signing)(Citation: EclecticLightChecksonEXECodeSigning) Code signing certificates may be used to bypass security policies that require signed code to execute on a system.

ID: T1553.002
Относится к технике:  T1553
Тактика(-и): Defense Evasion
Платформы: macOS, Windows
Источники данных: File: File Metadata
Версия: 1.1
Дата создания: 05 Feb 2020
Последнее изменение: 22 Sep 2022

Примеры процедур
Название Описание
Cobalt Strike

Cobalt Strike can use self signed Java applets to execute signed applet attacks.(Citation: Talos Cobalt Strike September 2020)(Citation: Cobalt Strike Manual 4.3 November 2020)
BackConfig

BackConfig has been signed with self signed digital certificates mimicking a legitimate software company.(Citation: Unit 42 BackConfig May 2020)
FIN7

FIN7 has signed Carbanak payloads with legally purchased code signing certificates. FIN7 has also digitally signed their phishing documents, backdoors and other staging tools to bypass security controls.(Citation: FireEye CARBANAK June 2017)(Citation: FireEye FIN7 Aug 2018)
Daserf

Some Daserf samples were signed with a stolen digital certificate.(Citation: Symantec Tick Apr 2016)
Patchwork

Patchwork has signed malware with self-signed certificates from fictitious and spoofed legitimate software companies.(Citation: Unit 42 BackConfig May 2020)
HermeticWizard

HermeticWizard has been signed by valid certificates assigned to Hermetica Digital.(Citation: ESET Hermetic Wizard March 2022)
Kimsuky

Kimsuky has signed files with the name EGIS CO,. Ltd..(Citation: ThreatConnect Kimsuky September 2020)
Helminth

Helminth samples have been signed with legitimate, compromised code signing certificates owned by software company AI Squared.(Citation: ClearSky OilRig Jan 2017)
GALLIUM

GALLIUM has used stolen certificates to sign its tools including those from Whizzimo LLC.(Citation: Microsoft GALLIUM December 2019)
APT41

APT41 leveraged code-signing certificates to sign malware when targeting both gaming and non-gaming organizations.(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

For C0015, the threat actors used DLL files that had invalid certificates.(Citation: DFIR Conti Bazar Nov 2021)
Molerats

Molerats has used forged Microsoft code-signing certificates on malware.(Citation: FireEye Operation Molerats)
HermeticWiper

The HermeticWiper executable has been signed with a legitimate certificate issued to Hermetica Digital Ltd.(Citation: Symantec Ukraine Wipers February 2022)(Citation: Crowdstrike DriveSlayer February 2022)(Citation: ESET Hermetic Wiper February 2022)(Citation: Qualys Hermetic Wiper March 2022)
GreyEnergy

GreyEnergy digitally signs the malware with a code-signing certificate.(Citation: ESET GreyEnergy Oct 2018)
BLINDINGCAN

BLINDINGCAN has been signed with code-signing certificates such as CodeRipper.(Citation: US-CERT BLINDINGCAN Aug 2020)
Nerex

Nerex drops a signed Microsoft DLL to disk.(Citation: Symantec Nerex May 2012)
UNC2452

UNC2452 was able to get SUNBURST signed by SolarWinds code signing certificates by injecting the malware into the SolarWinds Orion software lifecycle.(Citation: FireEye SUNBURST Backdoor December 2020)
AppleJeus

AppleJeus has used a valid digital signature from Sectigo to appear legitimate.(Citation: CISA AppleJeus Feb 2021)

During Operation Honeybee, the threat actors deployed the MaoCheng dropper with a stolen Adobe Systems digital signature.(Citation: McAfee Honeybee)
CSPY Downloader

CSPY Downloader has come signed with revoked certificates.(Citation: Cybereason Kimsuky November 2020)
QakBot

QakBot can use signed loaders to evade detection.(Citation: ATT QakBot April 2021)

Ember Bear

Ember Bear has used stolen certificates from Electrum Technologies GmbH to sign payloads.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )
RTM

RTM samples have been signed with a code-signing certificates.(Citation: ESET RTM Feb 2017)
Anchor

Anchor has been signed with valid certificates to evade detection by security tools.(Citation: Cyberreason Anchor December 2019)
Lazarus Group

Lazarus Group has digitally signed malware and utilities to evade detection.(Citation: ESET Lazarus Jun 2020)(Citation: Lazarus APT January 2022)
Epic

Turla has used valid digital certificates from Sysprint AG to sign its Epic dropper.(Citation: Kaspersky Turla)
Moses Staff

Moses Staff has used signed drivers from an open source tool called DiskCryptor to evade detection.(Citation: Checkpoint MosesStaff Nov 2021)
Silence

Silence has used a valid certificate to sign their primary loader Silence.Downloader (aka TrueBot).(Citation: Group IB Silence Aug 2019)
SUNBURST

SUNBURST was digitally signed by SolarWinds from March - May 2020.(Citation: FireEye SUNBURST Backdoor December 2020)
Wizard Spider

Wizard Spider has used Digicert code-signing certificates for some of its malware.(Citation: DFIR Ryuk 2 Hour Speed Run November 2020)
Leviathan

Leviathan has used stolen code signing certificates to sign malware.(Citation: FireEye Periscope March 2018)(Citation: FireEye APT40 March 2019)
FIN6

FIN6 has used Comodo code-signing certificates.(Citation: Security Intelligence More Eggs Aug 2019)

Clop

Clop can use code signing to evade detection.(Citation: Unit42 Clop April 2021)
menuPass

menuPass has resized and added data to the certificate table to enable the signing of modified files with legitimate signatures.(Citation: Securelist APT10 March 2021)
APT29

APT29 was able to get SUNBURST signed by SolarWinds code signing certificates by injecting the malware into the SolarWinds Orion software lifecycle.(Citation: FireEye SUNBURST Backdoor December 2020)
BOOSTWRITE

BOOSTWRITE has been signed by a valid CA.(Citation: FireEye FIN7 Oct 2019)
Honeybee

Honeybee uses a dropper called MaoCheng that harvests a stolen digital signature from Adobe Systems.(Citation: McAfee Honeybee)
PROMETHIUM

PROMETHIUM has signed code with self-signed certificates.(Citation: Bitdefender StrongPity June 2020)
Darkhotel

Darkhotel has used code-signing certificates on its malware that are either forged due to weak keys or stolen. Darkhotel has also stolen certificates and signed backdoors and downloaders with them.(Citation: Kaspersky Darkhotel)(Citation: Securelist Darkhotel Aug 2015)
Bazar

Bazar has been signed with fake certificates including those appearing to be from VB CORPORATE PTY. LTD.(Citation: Cybereason Bazar July 2020)
TA505

TA505 has signed payloads with code signing certificates from Thawte and Sectigo.(Citation: Cybereason TA505 April 2019)(Citation: Deep Instinct TA505 Apr 2019)(Citation: Trend Micro TA505 June 2019)
Metamorfo

Metamorfo has digitally signed executables using AVAST Software certificates.(Citation: Medium Metamorfo Apr 2020)

LockerGoga

LockerGoga has been signed with stolen certificates in order to make it look more legitimate.(Citation: Wired Lockergoga 2019)
Gazer

Gazer versions are signed with various valid certificates; one was likely faked and issued by Comodo for "Solid Loop Ltd," and another was issued for "Ultimate Computer Support Ltd."(Citation: ESET Gazer Aug 2017)(Citation: Securelist WhiteBear Aug 2017)
Ecipekac

Ecipekac has used a valid, legitimate digital signature to evade detection.(Citation: Securelist APT10 March 2021)
TrickBot

TrickBot has come with a signed downloader component.(Citation: Cyberreason Anchor December 2019)
More_eggs

More_eggs has used a signed binary shellcode loader and a signed Dynamic Link Library (DLL) to create a reverse shell.(Citation: Security Intelligence More Eggs Aug 2019)
Suckfly

Suckfly has used stolen certificates to sign its malware.(Citation: Symantec Suckfly March 2016)
QuasarRAT

A QuasarRAT .dll file is digitally signed by a certificate from AirVPN.(Citation: Volexity Patchwork June 2018)
Stuxnet

Stuxnet used a digitally signed driver with a compromised Realtek certificate.(Citation: Symantec W.32 Stuxnet Dossier)
Ebury

Ebury has installed a self-signed RPM package mimicking the original system package on RPM based systems.(Citation: ESET Ebury Feb 2014)
SpicyOmelette

SpicyOmelette has been signed with valid digital certificates.(Citation: Secureworks GOLD KINGSWOOD September 2018)
StrongPity

StrongPity has been signed with self-signed certificates.(Citation: Bitdefender StrongPity June 2020)
PipeMon

PipeMon, its installer, and tools are signed with stolen code-signing certificates.(Citation: ESET PipeMon May 2020)
Winnti Group

Winnti Group used stolen certificates to sign its malware.(Citation: Kaspersky Winnti April 2013)
CopyKittens

CopyKittens digitally signed an executable with a stolen certificate from legitimate company AI Squared.(Citation: ClearSky Wilted Tulip July 2017)
Janicab

Janicab used a valid AppleDeveloperID to sign the code to get past security restrictions.(Citation: Janicab)
ChChes

ChChes samples were digitally signed with a certificate originally used by Hacking Team that was later leaked and subsequently revoked.(Citation: Palo Alto menuPass Feb 2017)(Citation: JPCERT ChChes Feb 2017)(Citation: PWC Cloud Hopper Technical Annex April 2017)
Bandook

Bandook was signed with valid Certum certificates.(Citation: CheckPoint Bandook Nov 2020)

Обнаружение

Collect and analyze signing certificate metadata on software that executes within the environment to look for unusual certificate characteristics and outliers.

Ссылки

  1. Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.
  2. Wikipedia. (2015, November 10). Code Signing. Retrieved March 31, 2016.
  3. Shinotsuka, H. (2013, February 22). How Attackers Steal Private Keys from Digital Certificates. Retrieved March 31, 2016.
  4. Ladikov, A. (2015, January 29). Why You Shouldn’t Completely Trust Files Signed with Digital Certificates. Retrieved March 31, 2016.
  5. Howard Oakley. (2020, November 16). Checks on executable code in Catalina and Big Sur: a first draft. Retrieved September 21, 2022.
  6. Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020.
  7. MSTIC. (2019, December 12). GALLIUM: Targeting global telecom. Retrieved January 13, 2021.
  8. DFIR Report. (2021, November 29). CONTInuing the Bazar Ransomware Story. Retrieved September 29, 2022.
  9. ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017.
  10. Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020.
  11. Nicolas Falliere, Liam O. Murchu, Eric Chien. (2011, February). W32.Stuxnet Dossier. Retrieved December 7, 2020.
  12. M.Léveillé, M.. (2014, February 21). An In-depth Analysis of Linux/Ebury. Retrieved April 19, 2019.
  13. Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9’S DEVELOPMENT CYCLES. Retrieved November 18, 2020.
  14. Kaspersky Lab's Global Research & Analysis Team. (2015, August 10). Darkhotel's attacks in 2015. Retrieved November 2, 2018.
  15. Kaspersky Lab's Global Research and Analysis Team. (2014, November). The Darkhotel APT A Story of Unusual Hospitality. Retrieved November 12, 2014.
  16. ClearSky Cybersecurity. (2017, January 5). Iranian Threat Agent OilRig Delivers Digitally Signed Malware, Impersonates University of Oxford. Retrieved May 3, 2017.
  17. Villeneuve, N., Haq, H., Moran, N. (2013, August 23). OPERATION MOLERATS: MIDDLE EAST CYBER ATTACKS USING POISON IVY. Retrieved April 1, 2016.
  18. Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020.
  19. FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021.
  20. Santos, D. (2021, April 13). Threat Assessment: Clop Ransomware. Retrieved July 30, 2021.
  21. Villadsen, O.. (2019, August 29). More_eggs, Anyone? Threat Actor ITG08 Strikes Again. Retrieved September 16, 2019.
  22. Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti Group. Retrieved August 24, 2020.
  23. Check Point. (2020, November 26). Bandook: Signed & Delivered. Retrieved May 31, 2021.
  24. ThreatConnect. (2020, September 28). Kimsuky Phishing Operations Putting In Work. Retrieved October 30, 2020.
  25. Plan, F., et al. (2019, March 4). APT40: Examining a China-Nexus Espionage Actor. Retrieved March 18, 2019.
  26. FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
  27. Checkpoint Research. (2021, November 15). Uncovering MosesStaff techniques: Ideology over Money. Retrieved August 11, 2022.
  28. GREAT. (2021, March 30). APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign. Retrieved June 17, 2021.
  29. Dani, M. (2022, March 1). Ukrainian Targets Hit by HermeticWiper, New Datawiper Malware. Retrieved March 25, 2022.
  30. ESET. (2022, February 24). HermeticWiper: New data wiping malware hits Ukraine. Retrieved March 25, 2022.
  31. Thomas, W. et al. (2022, February 25). CrowdStrike Falcon Protects from New Wiper Malware Used in Ukraine Cyberattacks. Retrieved March 25, 2022.
  32. Symantec Threat Hunter Team. (2022, February 24). Ukraine: Disk-wiping Attacks Precede Russian Invasion. Retrieved March 25, 2022.
  33. Thomas. (2013, July 15). New signed malware called Janicab. Retrieved July 17, 2017.
  34. Saini, A. and Hossein, J. (2022, January 27). North Korea’s Lazarus APT leverages Windows Update client, GitHub in latest campaign. Retrieved January 27, 2022.
  35. Breitenbacher, D and Osis, K. (2020, June 17). OPERATION IN(TER)CEPTION: Targeted Attacks Against European Aerospace and Military Companies. Retrieved December 20, 2021.
  36. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
  37. Nakamura, Y.. (2017, February 17). ChChes - Malware that Communicates with C&C Servers Using Cookie Headers. Retrieved March 1, 2017.
  38. Miller-Osborn, J. and Grunzweig, J.. (2017, February 16). menuPass Returns with New Malware and New Attacks Against Japanese Academics and Organizations. Retrieved March 1, 2017.
  39. DiMaggio, J. (2016, April 28). Tick cyberespionage group zeros in on Japan. Retrieved July 16, 2018.
  40. Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018.
  41. Greenberg, A. (2019, March 25). A Guide to LockerGoga, the Ransomware Crippling Industrial Firms. Retrieved July 17, 2019.
  42. Kaspersky Lab's Global Research and Analysis Team. (2013, April 11). Winnti. More than just a game. Retrieved February 8, 2017.
  43. Cybersecurity and Infrastructure Security Agency. (2021, February 21). AppleJeus: Analysis of North Korea’s Cryptocurrency Malware. Retrieved March 1, 2021.
  44. Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020.
  45. DiMaggio, J. (2016, March 15). Suckfly: Revealing the secret life of your code signing certificates. Retrieved August 3, 2016.
  46. Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018.
  47. Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020.
  48. Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021.
  49. Mavis, N. (2020, September 21). The Art and Science of Detecting Cobalt Strike. Retrieved April 6, 2021.
  50. Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.
  51. Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.
  52. Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022.
  53. Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
  54. CTU. (2018, September 27). Cybercriminals Increasingly Trying to Ensnare the Big Financial Fish. Retrieved September 20, 2021.
  55. Carr, N., et al. (2018, August 01). On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation. Retrieved August 23, 2018.
  56. Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018.
  57. Ladley, F. (2012, May 15). Backdoor.Nerex. Retrieved February 23, 2018.
  58. Kaspersky Lab's Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014.
  59. Group-IB. (2019, August). Silence 2.0: Going Global. Retrieved May 5, 2020.
  60. The DFIR Report. (2020, November 5). Ryuk Speed Run, 2 Hours to Ransom. Retrieved November 6, 2020.
  61. Hiroaki, H. and Lu, L. (2019, June 12). Shifting Tactics: Breaking Down TA505 Group’s Use of HTML, RATs and Other Techniques in Latest Campaigns. Retrieved May 29, 2020.
  62. Vilkomir-Preisman, S. (2019, April 2). New ServHelper Variant Employs Excel 4.0 Macro to Drop Signed Payload. Retrieved May 28, 2019.
  63. Salem, E. (2019, April 25). Threat Actor TA505 Targets Financial Enterprises Using LOLBins and a New Backdoor Malware. Retrieved May 28, 2019.
  64. Carr, N, et all. (2019, October 10). Mahalo FIN7: Responding to the Criminal Operators’ New Tools and Techniques. Retrieved October 11, 2019.
  65. ESET. (2022, March 1). IsaacWiper and HermeticWizard: New wiper and worm targetingUkraine. Retrieved April 10, 2022.
  66. US-CERT. (2020, August 19). MAR-10295134-1.v1 – North Korean Remote Access Trojan: BLINDINGCAN. Retrieved August 19, 2020.
  67. Morrow, D. (2021, April 15). The rise of QakBot. Retrieved September 27, 2021.
  68. Kaspersky Lab's Global Research & Analysis Team. (2017, August 30). Introducing WhiteBear. Retrieved September 21, 2017.
  69. ESET. (2017, August). Gazing at Gazer: Turla’s new second stage backdoor. Retrieved September 14, 2017.
Навигация

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.