I Solemnly Swear My Driver Is Up to No Good: Hunting for Attestation Signed Malware

The attestation signing process offloads the responsibility of verifying the identity of the requesting hardware or software vendor to the Certificate Authorities.  In theory this is a valid process as the CAs must follow agreed upon procedures to verify the identity of the requesting entity and the authority of the individual making the request to represent the software vendor. However, this process is being abused to obtain malware signed by Microsoft.

Code Signing

Let’s break that up. What exactly is ‘the attestation signing process’? Software vendors obtain certificates used for code signing from trusted Certificate Authorities (CA), according to standards set by the CA/Browser Forum and CA Security Council. This certificate is then used to sign the software and provide a level of trust between the software and the operating system.

Malicious Driver Signing as a Service

The use of stolen or fraudulently obtained code signing certificates by threat actors has been a common tactic and providing these certificates or signing services has proven a lucrative niche in the underground economy.


Read all the details in the full article