Malware executables are being increasingly code-signed with three-day certificates using the Microsoft Trusted Signing service as threat actors seek to establish legitimacy and prevent thwarting by security systems, according to BleepingComputer.
With the usage of the service enabling validation of executables until the revocation of certificates, such a scheme has already been leveraged in Crazy Evil Traffers and Lumma Stealer attack campaigns, noted BleepingComputer and other cybersecurity researchers. More malicious actors have switched to Microsoft's service for code-signing malware due to convenience following ambiguous changes to Extended Validation certificates, said cybersecurity researcher and developer Squiblydoo. "For a long time, using EV certificates has been the standard, but Microsoft has announced changes to EV certificates... However, due to these potential changes and lack of clarity, just having a code-signing certificate may be adequate for attacker needs," Squiblydoo said. Meanwhile, Microsoft has confirmed having invalidated and suspended malicious certificates and accounts, respectively.
