Key trusted Microsoft platform exploited to enable malware, experts warn

News
By published

Microsoft Trusted Signing abused to grant malware short-lived certificates

hacker.jpeg
(Image credit: TR)
  • Trusted Signing, a Microsoft certificate-signing service, is being abused by criminals, researchers are saying
  • The criminals are signing malware with short-lived, three-day certificates
  • Microsoft is actively monitoring for certificate abuse

Cybersecurity experts have warned Trusted Signing, Microsoft’s code-signing platform, is being abused to grant malware certificates and help it bypass endpoint protection and antivirus programs.

Certificates are digital credentials that verify the authenticity, integrity, and security of software. They use cryptographic keys to establish secure communications and prevent tampering or impersonation, and are considered crucial for encrypting sensitive data, ensuring secure transactions, and maintaining user trust. In software development, code-signing certificates validate that an application has not been altered after release.

Microsoft describes Trusted Signing as a, “fully managed, end-to-end signing solution that simplifies the certificate signing process and helps partner developers more easily build and distribute applications.”

Lumma Stealer and others

However, BleepingComputer reports multiple researchers observing threat actors using Trusted Signing to sign their malware with “short-lived, three-day code-signing certificates”.

Software signed this way will remain valid until the certificate is revoked, which suggests that the malware could successfully bypass security solutions for a lot longer.

The malware samples they analyzed were signed by "Microsoft ID Verified CS EOC CA 01,” it was said.

Among the campaigns abusing Microsoft are Crazy Evil Traffers’ crypto heist, and Lumma Stealer.

One of the ways Microsoft seems to be tackling this issue is to only allow certificates to be issued under the name of a company that’s been operational for at least three years.

However, individuals can sign up and get faster approval, if the certificate is issued under their name.

Microsoft says it is constantly monitoring the landscape and revoking certificates that were found to have been abused.

"When we detect threats we immediately mitigate with actions such as broad certificate revocation and account suspension. The malware samples you shared are detected by our antimalware products and we have already taken action to revoke the certificates and prevent further account abuse,” the company noted.

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Read more
A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
Microsoft 365 accounts are under attack from new malware spoofing popular work apps
A concept image of someone typing on a computer. A red flashing danger sign is above the keyboard and nymbers and symbols also in glowing red surround it.
Microsoft Teams and other Windows tools hijacked to hack corporate networks
A computer being guarded by cybersecurity.
Huge cyberattack found hitting vulnerable Microsoft-signed legacy drivers to get past security
A digital representation of a lock
Security experts are being targeted with fake malware discoveries
A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
Microsoft authentication system spoofed via phishing attack
Robotic hand clicking on captcha 'I am not a robot'.
Fake CAPTCHAs are being used to spread malware - and we only have ourselves to blame
Latest in Security
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Coinbase targeted after recent Github attacks
hacker.jpeg
Key trusted Microsoft platform exploited to enable malware, experts warn
IBM office logo
IBM to provide platform for flagship cyber skills programme for girls
Oracle
Oracle denies data breach after hacker claims to hold six million records
Hacker silhouette working on a laptop with North Korean flag on the background
North Korea unveils new military unit targeting AI attacks
An image of network security icons for a network encircling a digital blue earth.
US government warns agencies to make sure their backups are safe from NAKIVO security issue
Latest in News
A phone showing a ChatGPT app error message
ChatGPT is down for many – here's what's going on
AirPods Max with USB-C in every color
Apple's AirPods Max with USB-C will get lossless audio in April, but you'll need to go wired
A woman sitting in a chair looking at a Windows 11 laptop
It looks like Microsoft might have thought better about banishing Copilot AI shortcut from Windows 11
US flags
US government IT contracts set to be centralized in new Trump order
Tesla Roadster 2
Tesla is still taking deposits on its long overdue Roadster, despite promising it would arrive in 2020
Samsung HW-Q990D soundbar with Halloween theme over the top
Samsung promises to repair soundbars bricked by its disastrous software update for free – but it'll probably involve shipping
More about security
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol

Coinbase targeted after recent Github attacks
Oracle

Oracle denies data breach after hacker claims to hold six million records
A screenshot from Indiana Jones and the Great Circle showing Indiana Jones

Indiana Jones and the Great Circle finally gets PS5 release date and I can't wait to don the fedora and crack the whip
See more latest