Cybercriminals Exploit Microsoft Trusted Signing Service for Malware Distribution

Cybercriminals Exploit Microsoft’s Trusted Signing Platform for Malware Attacks

In a troubling development for cybersecurity, researchers have uncovered that cybercriminals are misusing Microsoft’s Trusted Signing platform to sign malware with short-lived, three-day code-signing certificates. This tactic allows malicious software to masquerade as legitimate applications, potentially bypassing security filters that typically flag unsigned executables.

Code-signing certificates have long been coveted by threat actors, as they lend an air of authenticity to malicious files. Among these, Extended Validation (EV) certificates are particularly sought after due to their rigorous verification process, which grants increased trust from cybersecurity programs. However, acquiring EV certificates is challenging, often requiring theft from legitimate companies or the establishment of fake businesses.

The recent surge in the abuse of Microsoft’s Trusted Signing service, launched in 2024, has raised alarms. This cloud-based service was designed to simplify the code-signing process for developers, offering a $9.99 monthly subscription that includes a timestamping service and enhanced security measures. Yet, the ease of obtaining short-lived certificates has made it an attractive option for cybercriminals.

Malware samples signed with the “Microsoft ID Verified CS EOC CA 01” certificate have been linked to ongoing campaigns, including the notorious Crazy Evil Traffers crypto-theft operation. Although these certificates expire after three days, executables remain valid until revoked, allowing ample time for malicious activities.

Cybersecurity expert ‘Squiblydoo’ suggests that the shift to Microsoft’s service stems from confusion surrounding EV certificates and the perceived ease of obtaining Microsoft’s code-signing certificates. In response to the abuse, Microsoft has stated that it employs active threat intelligence monitoring to detect and revoke compromised certificates swiftly.

As the battle against cybercrime intensifies, the misuse of trusted platforms underscores the need for ongoing vigilance and robust security measures in the digital landscape.