EXECUTIVE SUMMARY:
Microsoft’s Trusted Signing service has been exploited to sign malware, allowing attackers to distribute malicious software that appears legitimate. Threat actors abused a feature that lets developers submit unsigned kernel-mode drivers for signing, enabling them to bypass security mechanisms. Researchers discovered multiple cases of this misuse, where signed malware was used to install rootkits and disable security software. Microsoft has since revoked the malicious certificates and tightened security, but the incident raises concerns about the risks of trusted code-signing services.
Attackers submitted unsigned drivers to Microsoft’s signing program, gaining legitimate signatures that granted elevated privileges on Windows systems. The malware, often delivered via phishing or trojans, was used to disable antivirus software, escalate privileges, and establish persistence. Security analysis revealed advanced evasion techniques, including obfuscation and encrypted communication with command-and-control servers. Some malware families linked to these attacks were associated with cybercrime groups and state-sponsored actors. Since Microsoft-signed binaries are inherently trusted, this technique significantly increased the malware’s effectiveness.
This abuse highlights the risks of code-signing mechanisms and the need for stronger verification processes. While Microsoft has revoked malicious certificates and enhanced security, attackers continue to adapt. Organizations should adopt a layered security approach, including endpoint detection, behavioral analysis, and strict execution policies. The incident underscores the broader risk of trusted signing services being exploited and emphasizes the need for proactive monitoring and improved security controls.
THREAT PROFILE:
| Tactic | Technique ID | Technique |
| Persistence | T1542 | Pre-OS Boot |
| Privilege Escalation | T1068 | Exploitation for Privilege Escalation |
| Defense Evasion | T1553 | Subvert Trust Controls |
| T1207 | Rogue Domain Controller | |
| T1014 | Rootkit | |
| Credential Access | T1552 | Unsecured Credentials |
| Command and Control | T1573 | Encrypted Channel |
| Impact | T1499 | Endpoint Denial of Service |
REFERENCES:
The following reports contain further technical details:
https://www.bleepingcomputer.com/news/security/microsoft-trusted-signing-service-abused-to-code-sign-malware/