The adversary extracts credentials used for code signing from a production environment and then uses these credentials to sign malicious content with the developer's key. Many developers use signing keys to sign code or hashes of code. When users or applications verify the signatures are accurate they are led to believe that the code came from the owner of the signing key and that the code has not been modified since the signature was applied. If the adversary has extracted the signing credentials then they can use those credentials to sign their own code bundles. Users or tools that verify the signatures attached to the code will likely assume the code came from the legitimate developer and install or run the code, effectively allowing the adversary to execute arbitrary code on the victim's computer. This differs from CAPEC-673, because the adversary is performing the code signing.
Description
Attack Execution Flow
Step 1
ExploreThe adversary first attempts to obtain a digital certificate in order to sign their malware or tools. This certificate could be stolen, created by the adversary, or acquired normally through a certificate authority.
L'avversario tenta inizialmente di ottenere un certificato digitale al fine di firmare il proprio malware o strumenti. Questo certificato potrebbe essere stato rubato, creato dall'avversario o acquisito normalmente tramite una certification authority.
Step 2
ExploreBased on the type of certificate obtained, the adversary will create a goal for their attack. This is either a broad or targeted attack. If an adversary was able to steal a certificate from a targeted organization, they could target this organization by pretending to have legitimate code signed by them. In other cases, the adversary would simply sign their malware and pose as legitimate software such that any user might trust it. This is the more broad approach
In base al tipo di certificato ottenuto, l'avversario stabilirà un obiettivo per il loro attacco. Si tratta di un attacco sia ampio che mirato. Se un avversario riuscisse a rubare un certificato da un'organizzazione mirata, potrebbe prendere di mira questa organizzazione fingendo di avere codice legittimamente firmato da loro. In altri casi, l'avversario semplicemente firmerebbe il proprio malware e si spacerebbe come software legittimo, in modo che qualsiasi utente possa fidarsi di esso. Questo è l'approccio più ampio
Step 3
ExperimentThe adversary creates their malware and signs it with the obtained digital certificate. The adversary then checks if the code that they signed is valid either through downloading from the targeted source or testing locally.
L'attore malevolo crea il proprio malware e lo firma con il certificato digitale ottenuto. Successivamente, verifica se il codice firmato è valido, sia scaricandolo dalla fonte mirata sia testandolo localmente.
Step 4
ExploitOnce the malware has been signed, it is then deployed to the desired location. They wait for a trusting user to run their malware, thinking that it is legitimate software. This malware could do a variety of things based on the motivation of the adversary.
Una volta che il malware è stato firmato, viene quindi distribuito nella posizione desiderata. Attendono che un utente fiducioso esegua il malware, pensando che si tratti di software legittimo. Questo malware potrebbe compiere una varietà di azioni in base alla motivazione dell’avversario.
Mitigations
Ensure Digital Certificates Are Protected And Inaccessible By Unauthorized Uses.
Even If A Piece Of Software Has A Valid And Trusted Digital Signature, It Should Be Assessed For Any Weaknesses And Vulnerabilities.
If A Digital Certificate Has Been Compromised It Should Be Revoked And Regenerated.
Consequences
Consequence Information
{'impacts': [], 'impacts_translate': [], 'scopes': [], 'scopes_translate': []}