Description
Adversaries may create, acquire, or steal code signing materials to sign their malware or tools. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. (Citation: Wikipedia Code Signing) The certificates used during an operation may be created, acquired, or stolen by the adversary. (Citation: Securelist Digital Certificates) (Citation: Symantec Digital Certificates) Unlike Invalid Code Signature, this activity will result in a valid signature.
Code signing to verify software on first run can be used on modern Windows and macOS systems. It is not used on Linux due to the decentralized nature of the platform. (Citation: Wikipedia Code Signing)(Citation: EclecticLightChecksonEXECodeSigning)
Code signing certificates may be used to bypass security policies that require signed code to execute on a system.
Platforms
Threat Groups (27)
| ID | Group | Context |
|---|---|---|
| G0046 | FIN7 | [FIN7](https://attack.mitre.org/groups/G0046) has signed [Carbanak](https://attack.mitre.org/software/S0030) payloads with legally purchased code sign... |
| G1015 | Scattered Spider | [Scattered Spider](https://attack.mitre.org/groups/G1015) has used self-signed and stolen certificates originally issued to NVIDIA and Global Software... |
| G0040 | Patchwork | [Patchwork](https://attack.mitre.org/groups/G0040) has signed malware with self-signed certificates from fictitious and spoofed legitimate software co... |
| G0094 | Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has signed files with the name EGIS CO,. Ltd. and has stolen a valid certificate that is used to sign... |
| G0093 | GALLIUM | [GALLIUM](https://attack.mitre.org/groups/G0093) has used stolen certificates to sign its tools including those from Whizzimo LLC.(Citation: Microsoft... |
| G1031 | Saint Bear | [Saint Bear](https://attack.mitre.org/groups/G1031) has used an initial loader malware featuring a legitimate code signing certificate associated with... |
| G0096 | APT41 | [APT41](https://attack.mitre.org/groups/G0096) leveraged code-signing certificates to sign malware when targeting both gaming and non-gaming organizat... |
| G0021 | Molerats | [Molerats](https://attack.mitre.org/groups/G0021) has used forged Microsoft code-signing certificates on malware.(Citation: FireEye Operation Molerats... |
| G0049 | OilRig | [OilRig](https://attack.mitre.org/groups/G0049) has signed its malware with stolen certificates.(Citation: ClearSky OilRig Jan 2017) |
| G1054 | MirrorFace | [MirrorFace](https://attack.mitre.org/groups/G1054) has abused a known Microsoft digital signature verification issues to append encrypted data to dig... |
| G0032 | Lazarus Group | [Lazarus Group](https://attack.mitre.org/groups/G0032) has digitally signed malware and utilities to evade detection.(Citation: Lazarus APT January 20... |
| G1009 | Moses Staff | [Moses Staff](https://attack.mitre.org/groups/G1009) has used signed drivers from an open source tool called DiskCryptor to evade detection.(Citation:... |
| G0091 | Silence | [Silence](https://attack.mitre.org/groups/G0091) has used a valid certificate to sign their primary loader Silence.Downloader (aka TrueBot).(Citation:... |
| G0102 | Wizard Spider | [Wizard Spider](https://attack.mitre.org/groups/G0102) has used Digicert code-signing certificates for some of its malware.(Citation: DFIR Ryuk 2 Hour... |
| G0065 | Leviathan | [Leviathan](https://attack.mitre.org/groups/G0065) has used stolen code signing certificates to sign malware.(Citation: FireEye Periscope March 2018)(... |
| G0037 | FIN6 | [FIN6](https://attack.mitre.org/groups/G0037) has used Comodo code-signing certificates.(Citation: Security Intelligence More Eggs Aug 2019) |
| G0045 | menuPass | [menuPass](https://attack.mitre.org/groups/G0045) has resized and added data to the certificate table to enable the signing of modified files with leg... |
| G0056 | PROMETHIUM | [PROMETHIUM](https://attack.mitre.org/groups/G0056) has signed code with self-signed certificates.(Citation: Bitdefender StrongPity June 2020) |
| G0012 | Darkhotel | [Darkhotel](https://attack.mitre.org/groups/G0012) has used code-signing certificates on its malware that are either forged due to weak keys or stolen... |
| G0092 | TA505 | [TA505](https://attack.mitre.org/groups/G0092) has signed payloads with code signing certificates from Thawte and Sectigo.(Citation: Cybereason TA505 ... |
Associated Software (53)
| ID | Name | Type | Context |
|---|---|---|---|
| S0154 | Cobalt Strike | Malware | [Cobalt Strike](https://attack.mitre.org/software/S0154) can use self signed Java applets to execute signed applet attacks.(Citation: Talos Cobalt Str... |
| S0475 | BackConfig | Malware | [BackConfig](https://attack.mitre.org/software/S0475) has been signed with self signed digital certificates mimicking a legitimate software company.(C... |
| S1240 | RedLine Stealer | Malware | [RedLine Stealer](https://attack.mitre.org/software/S1240) has used both valid certificates and self-signed digital certificates to appear legitimate.... |
| S1235 | CorKLOG | Malware | [CorKLOG](https://attack.mitre.org/software/S1235) has used legitimate signed binaries such as lcommute.exe for follow-on execution of malicious DLLs ... |
| S0187 | Daserf | Malware | Some [Daserf](https://attack.mitre.org/software/S0187) samples were signed with a stolen digital certificate.(Citation: Symantec Tick Apr 2016) |
| S1226 | BOOKWORM | Malware | [BOOKWORM](https://attack.mitre.org/software/S1226) has used valid legitimate digital signatures and certificates to evade detection. (Citation: Unit4... |
| S1228 | PUBLOAD | Malware | [PUBLOAD](https://attack.mitre.org/software/S1228) has used valid legitimate digital signatures and certificates to evade detection.(Citation: CSIRT C... |
| S0698 | HermeticWizard | Malware | [HermeticWizard](https://attack.mitre.org/software/S0698) has been signed by valid certificates assigned to Hermetica Digital.(Citation: ESET Hermetic... |
| S0170 | Helminth | Malware | [Helminth](https://attack.mitre.org/software/S0170) samples have been signed with legitimate, compromised code signing certificates owned by software ... |
| S1070 | Black Basta | Malware | The [Black Basta](https://attack.mitre.org/software/S1070) dropper has been digitally signed with a certificate issued by Akeo Consulting for legitima... |
| S1016 | MacMa | Malware | [MacMa](https://attack.mitre.org/software/S1016) has been delivered using ad hoc Apple Developer code signing certificates.(Citation: SentinelOne Macm... |
| S1183 | StrelaStealer | Malware | [StrelaStealer](https://attack.mitre.org/software/S1183) variants have used valid code signing certificates.(Citation: IBM StrelaStealer 2024) |
| S1238 | STATICPLUGIN | Malware | [STATICPLUGIN](https://attack.mitre.org/software/S1238) has been signed with a valid Certificate Authority(CA) to circumvent endpoint defenses.(Citati... |
| S0663 | SysUpdate | Malware | [SysUpdate](https://attack.mitre.org/software/S0663) has been signed with stolen digital certificates.(Citation: Lunghi Iron Tiger Linux) |
| S0697 | HermeticWiper | Malware | The [HermeticWiper](https://attack.mitre.org/software/S0697) executable has been signed with a legitimate certificate issued to Hermetica Digital Ltd.... |
| S0342 | GreyEnergy | Malware | [GreyEnergy](https://attack.mitre.org/software/S0342) digitally signs the malware with a code-signing certificate.(Citation: ESET GreyEnergy Oct 2018) |
| S0520 | BLINDINGCAN | Malware | [BLINDINGCAN](https://attack.mitre.org/software/S0520) has been signed with code-signing certificates such as CodeRipper.(Citation: US-CERT BLINDINGCA... |
| S1150 | ROADSWEEP | Malware | [ROADSWEEP](https://attack.mitre.org/software/S1150) has been digitally signed with a certificate issued to the Kuwait Telecommunications Company KSC.... |
| S1196 | Troll Stealer | Malware | [Troll Stealer](https://attack.mitre.org/software/S1196), along with its associated dropper, utilizes legitimate, stolen code signing certificates.(Ci... |
| S0210 | Nerex | Malware | [Nerex](https://attack.mitre.org/software/S0210) drops a signed Microsoft DLL to disk.(Citation: Symantec Nerex May 2012) |
References
- Howard Oakley. (2020, November 16). Checks on executable code in Catalina and Big Sur: a first draft. Retrieved September 21, 2022.
- Ladikov, A. (2015, January 29). Why You Shouldn’t Completely Trust Files Signed with Digital Certificates. Retrieved March 31, 2016.
- Shinotsuka, H. (2013, February 22). How Attackers Steal Private Keys from Digital Certificates. Retrieved March 31, 2016.
- Wikipedia. (2015, November 10). Code Signing. Retrieved March 31, 2016.
Frequently Asked Questions
What is T1553.002 (Code Signing)?
T1553.002 is a MITRE ATT&CK technique named 'Code Signing'. It belongs to the Defense Impairment tactic(s). Adversaries may create, acquire, or steal code signing materials to sign their malware or tools. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the b...
How can T1553.002 be detected?
Detection of T1553.002 (Code Signing) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1553.002?
Follow defense-in-depth principles including network segmentation, least privilege access, security monitoring, and regular patching to reduce the risk of this technique.
Which threat groups use T1553.002?
Known threat groups using T1553.002 include: FIN7, Scattered Spider, Patchwork, Kimsuky, GALLIUM, Saint Bear, APT41, Molerats.