| Name |
Signing Malicious Code |
|
| Likelyhood of attack |
Typical severity |
| High |
Very High |
|
| Summary |
The attacker extracts credentials used for code signing from a production environment and then uses these credentials to sign malicious content with the developer's key. Many developers use signing keys to sign code or hashes of code. When users or applications verify the signatures are accurate they are led to believe that the code came from the owner of the signing key and that the code has not been modified since the signature was applied. If the attacker has extracted the signing credentials then they can use those credentials to sign their own code bundles. Users or tools that verify the signatures attached to the code will likely assume the code came from the legitimate developer and install or run the code, effectively allowing the attacker to execute arbitrary code on the victim's computer. |
| Prerequisites |
The targeted developer must use a signing key to sign code bundles. (Note that not doing this is not a defense - it only means that the attacker does not need to steal the signing key before forging code bundles in the developer's name.) |
| Execution Flow |
| Step |
Phase |
Description |
Techniques |
| 1 |
Explore |
The adversary first attempts to obtain a digital certificate in order to sign their malware or tools. This certificate could be stolen, created by the adversary, or aquired normally through a certificate authority. |
|
| 2 |
Explore |
Based on the type of certificate obtained, the adversary will create a goal for their attack. This is either a broad or targeted attack. If an adversary was able to steal a certificate from a targeted organization, they could target this organization by pretending to have legitimate code signed by them. In other cases, the adversary would simply sign their malware and pose as legitimate software such that any user might trust it. This is the more broad approach |
|
| 3 |
Experiment |
The adversary creates their malware and signs it with the obtained digital certificate. The adversary then checks if the code that they signed is valid either through downloading from the targeted source or testing locally. |
|
| 4 |
Exploit |
Once the malware has been signed, it is then deployed to the desired location. They wait for a trusting user to run their malware, thinking that it is legitimate software. This malware could do a variety of things based on the motivation of the adversary. |
|
|
| Solutions | |
| Related Weaknesses |
|
CWE ID
|
Description
|
| CWE-732 |
Incorrect Permission Assignment for Critical Resource |
|
| Related CAPECS |
|
CAPEC ID
|
Description
|
| CAPEC-68 |
Many languages use code signing facilities to vouch for code's identity and to thus tie code to its assigned privileges within an environment. Subverting this mechanism can be instrumental in an attacker escalating privilege. Any means of subverting the way that a virtual machine enforces code signing classifies for this style of attack. |
|
| Taxonomy: ATTACK |
|
Entry ID
|
Entry Name
|
| 1553.002 |
Subvert Trust Controls:Code Signing |
|