Cybercriminals are increasingly exploiting Microsoft’s Trusted Signing platform to sign malware executables using short-lived certificates that last for only three days. This tactic aligns with a long-standing trend in which threat actors seek code-signing certificates to lend legitimacy to their malicious software, facilitating the bypass of security measures that typically flag unsigned executables.
The ability to sign malware with code-signing certificates significantly enhances their potential to evade detection by security software, which may otherwise treat unsigned files with considerable suspicion. Among the various types of certificates, Extended Validation (EV) code-signing certificates are particularly coveted by cybercriminals. These certificates are associated with a more rigorous verification process, resulting in higher levels of trust from various cybersecurity programs. Notably, executables signed with EV certificates benefit from an enhanced reputation within Microsoft’s SmartScreen, reducing the likelihood of red flags during execution.
Although EV code-signing certificates are highly sought after, they are notoriously difficult to acquire. Cybercriminals may resort to stealing these certificates from legitimate companies or establishing fake businesses at significant costs. Furthermore, the utility of these certificates is fleeting; once used in a malware campaign, they are quickly revoked, rendering them unusable for future attacks.
### Exploiting Microsoft’s Trusted Signing Service
Recent analysis by cybersecurity researchers reveals that threat actors are utilizing the Microsoft Trusted Signing service to gain access to short-lived, three-day code-signing certificates. These certificates are issued by “Microsoft ID Verified CS EOC CA 01” and remain valid for three days post-issuance. It is crucial to note that executables signed with these certificates will continue to be recognized as valid until the certificates are officially revoked by the issuer.
Numerous malware samples linked to ongoing campaigns have been discovered since this exploitation began, including those associated with the Crazy Evil Traffers crypto-theft operation and Lumma Stealer campaigns. This indicates a concerning trend in which threat actors are leveraging well-known platforms to facilitate their malicious activities.
Launched in 2024, the Microsoft Trusted Signing service is a cloud-based solution that enables developers to easily sign their applications with Microsoft’s credentials. As stated in Microsoft’s promotional material, “Trusted Signing is a comprehensive code-signing service designed for ease of use by developers, supported by a Microsoft-managed certification authority.” This service is tailored to meet both public and private trust signing scenarios and includes a timestamping feature.
For a $9.99 monthly subscription fee, developers can conveniently sign their executables while benefiting from enhanced security measures. These include short-lived certificates that can be swiftly revoked in cases of misuse, in addition to a system designed to prevent direct issuance of certificates to developers, thereby reducing risks associated with data breaches.
Microsoft asserts that certificates obtained through the Trusted Signing service provide a comparable SmartScreen reputation boost to those signed through other means. An FAQ on the Trusted Signing site states, “A Trusted Signing signature ensures that your application is trusted by providing base reputation on SmartScreen, user-mode trust on Windows, and integrity check signature validation compliance.”
To mitigate the risk of abuse, Microsoft mandates that companies must have been in operation for three years to be eligible for certificate issuance under their business name. Individuals may obtain approval more easily, though their certificates will be issued under their personal name.
### The Shift in Tactics Among Cybercriminals
According to cybersecurity researcher Squiblydoo, who has analyzed the use of signed certificates in malware campaigns for years, threat actors may be gravitating towards Microsoft’s service for its convenience. “Historically, EV certificates have been the gold standard for signing,” Squiblydoo noted. “However, recent announced changes to EV certificates have left many in the industry—including attackers—uncertain.”
The ambiguity surrounding these changes has led to a strategic pivot where mere possession of a code-signing certificate suffices for attackers. Squiblydoo further stated, “The verification process for Microsoft’s certificates is significantly less stringent compared to that of EV certificates, which makes MS certificates a more attractive option for cybercriminals.”
When approached for comment on the ongoing abuse of the Trusted Signing service, Microsoft affirmed its commitment to proactive threat intelligence monitoring to identify and revoke misuse of certificates. “We continuously leverage threat intelligence to detect any form of abuse linked to our signing service,” a company representative confirmed. “Upon identifying threats, we take immediate action through broad certificate revocation and account suspension. The malware samples you referenced are detectably managed by our antimalware solutions, and we have acted promptly to mitigate further misuse.”
The ongoing evolution of techniques employed by cybercriminals within the realm of code signing underscores the necessity for robust cybersecurity measures and a proactive approach to defending against such emerging threats. As the landscape of cyber threats advances, remaining vigilant and informed is paramount for all stakeholders involved in software development and cybersecurity practices.