Common Information
| Type | Value |
|---|---|
| Value |
Code Signing Certificates - T1587.002 |
| Category | Attack-Pattern |
| Type | Mitre-Attack-Pattern |
| Misp Type | Cluster |
| Description | Adversaries may create self-signed code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Code signing provides a level of authenticity for a program from the developer and a guarantee that the program has not been tampered with.(Citation: Wikipedia Code Signing) Users and/or security tools may trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is. Prior to [Code Signing](https://attack.mitre.org/techniques/T1553/002), adversaries may develop self-signed code signing certificates for use in operations. |
| Details | Published | Attributes | CTI | Title | ||
|---|---|---|---|---|---|---|
| Details | Website | 2022-03-25 | 4 | Purple Fox Uses New Arrival Vector and Improves Malware Arsenal | ||
| Details | Website | 2022-03-25 | 4 | Purple Fox Uses New Arrival Vector and Improves Malware Arsenal | ||
| Details | Website | 2022-03-21 | 5 | A Behind the Scenes Look into Investigating Conti Leaks | Analyst1 | ||
| Details | Website | 2022-03-01 | 65 | IsaacWiper and HermeticWizard: New wiper and worm targeting Ukraine | WeLiveSecurity | ||
| Details | Website | 2022-02-23 | 314 | (Ex)Change of Pace: UNC2596 Observed Leveraging Vulnerabilities to Deploy Cuba Ransomware | Mandiant | ||
| Details | Website | 2021-12-24 | 3 | New BLISTER Malware Using Code Signing Certificates to Evade Detection | ||
| Details | Website | 2021-12-22 | 30 | BLISTER malware campaign discovered | ||
| Details | Website | 2021-10-12 | 62 | Going Coast to Coast - Climbing the Pyramid with the Deimos Implant | ||
| Details | Website | 2021-08-10 | 105 | UNC215: Spotlight on a Chinese Espionage Campaign in Israel | Mandiant | ||
| Details | Website | 2021-08-03 | 75 | APT31 new dropper. Target destinations: Mongolia, Russia, the U.S., and elsewhere | ||
| Details | Website | 2021-06-16 | 87 | Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise | Mandiant | ||
| Details | Website | 2021-05-18 | 53 | W3 May | EN | Story of the week: Code Signing Certificate on the Darkweb | ||
| Details | Website | 2021-02-25 | 190 | So Unchill: Melting UNC2198 ICEDID to Ransomware Operations | Mandiant | ||
| Details | Website | 2021-02-03 | 4 | EDR and Blending In: How Attackers Avoid Getting Caught | ||
| Details | Website | 2021-01-14 | 663 | Higaisa or Winnti? APT41 backdoors, old and new | ||
| Details | Website | 2020-12-15 | 74 | QakBot reducing its on disk artifacts - Hornetsecurity | ||
| Details | Website | 2020-11-16 | 98 | Lazarus supply‑chain attack in South Korea | WeLiveSecurity | ||
| Details | Website | 2020-10-14 | 2 | FIN11: Widespread Email Campaigns as Precursor for Ransomware and Data Theft | Mandiant | ||
| Details | Website | 2020-10-12 | 17 | "Front Door" into BazarBackdoor: Stealthy Cybercrime Weapon | ||
| Details | Website | 2020-07-20 | 2 | What even is Winnti? - Risky Business | ||
| Details | Website | 2020-01-08 | 12 | From Mega to Giga: Cross-Version Comparison of Top MegaCortex Modifications | ||
| Details | Website | 2019-12-12 | 30 | GALLIUM: Targeting global telecom | ||
| Details | Website | 2019-03-22 | 276 | UNKNOWN | ||
| Details | Website | 2019-03-04 | 7 | APT40 | Examining a China-Nexus Espionage Actor | Mandiant | ||
| Details | Website | 2018-08-01 | 735 | On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation | Mandiant |