How Attackers Abuse Application Signing

Application signing is a security practice that uses cryptographic signing of software applications to assure the authenticity and integrity and authenticity of an application's executable file. Application signing aims to ensure that a particular file has not been tampered with or modified by unauthorized parties and that it comes from the original developer. 

However, application signing is far from perfect and attackers use several known techniques to abuse digital signatures. Malicious techniques that leverage application singing can trick users into a false sense of trust that a particular executable file is authentic. In more sophisticated malware attacks, threat actors use legitimately signed applications with known vulnerabilities as a doorway to executing malicious code. 

Let's review how application signing works and examine how attackers abuse application signing to distribute malware:

How Does Application Signing Work?

The process of application signing typically involves the following steps taken by an application developer to associate a particular executable file with a digital signature that can verify its integrity and origins:

1. Developer Signing: The software developer generates a digital signature for the application by using a private key. Trustworthy developers typically obtain digital certificates for code signing via a verification process through a Certificate Authority (CA) organization - the same organizations that issue SSL/TLS certificates for domains. However, developers can also generate their own self-signed private keys. Either way, the signature generated by a private key is unique to the developer or organization responsible for the software

2. Cryptographic Hashing: A cryptographic hash function is applied to the application's code or executable file to generate a fixed-size hash value, which serves as a digital fingerprint of the software

3. Signing the Hash: The developer's private key encrypts the hash value, creating a digital signature. This signature is packaged with the application such that it can be verified by an operating system when the file is installed or executed

4. Distribution: The signed application is distributed to users or made available for download

How Attackers Leverage Application Signing In Their Attacks

While application signing is primarily used as a security measure, attackers can also leverage it for malicious cyber techniques. Here are a few ways malicious actors exploit application signing:

• Private Key Theft: Attackers may steal the private key of a trusted developer or obtain a new private key from the CA via stolen credentials or unauthorized access to an organization's IT environment. With a valid certificate in hand, attackers can sign their malicious software, making it appear legitimate and trustworthy.

• Application Impersonation: Attackers can create counterfeit or fake versions of popular applications, sign them with their own self-generated certificates, and distribute them through third-party app stores or malicious websites. Attacks can outfit their own self-signed certificates with fake information to spoof the original app developer and rely on the user's lack of technical savvy to notice the difference.

• Malware Persistence: By signing malware with a stolen certificate, attackers create malware that can evade detection by anti-virus or other security software and run persistently on the infected system allowing it to continue its malicious activities undetected for longer periods of time.

• Exploiting Trusted Executables: Attackers have also used digitally signed software with known vulnerabilities to launch attacks. By incorporating these exploitable - yet trusted - executables into their malware, attackers can exploit the app's known vulnerabilities with techniques such as DLL-sideloading to execute malicious code. Since the trusted executables are signed and trusted by the operating system, they are less likely to raise suspicion or be blocked by security mechanisms.

Defending Against Rogue Digital Signatures

Defending against rogue digital signatures requires a multi-layered approach that combines various security measures.

Here are several methods to consider depending on the particular IT infrastructure and operations being defended:

• Deploy Security Products: Anti-Virus and Endpoint Detection and Response (EDR) can identify known malicious software, including malware with rogue digital signatures. However, it's essential to ensure that anti-virus or EDR solutions are frequently updated on all systems to detect the latest known threats.

• Threat Intelligence Services: Stay updated with the latest threat intelligence and indicators of compromise (IOCs) by subscribing to threat intelligence feeds or certificate reputation services. These services allow defenders to automatically check the reputation and validity of digital certificates used for signing applications and block applications signed with compromised or malicious certificates

• Defense in Depth: Implement a defense-in-depth strategy combining fundamental network security measures, such as firewalls and intrusion detection/prevention systems, host-based security controls like application whitelisting and sandboxing, and employ strong access security controls such as MFA and zero trust security solutions. By using layered security, the chances of detecting and blocking malicious software with rogue digital signatures are significantly increased, and layered protections can prevent a successful malware attack from causing significant damage

• Vulnerability Management and Patch Management: Conduct proactive vulnerability scanning activities and keep all software and operating systems up to date with the latest security patches and updates. By proactively addressing vulnerabilities and applying security updates, organizations can address secondary vulnerabilities that attackers seek to exploit and reduce the risk posed by rouge software.

• User Education and Awareness: Educate users about the general risks associated with downloading and executing software from an untrusted source and how to classify sources as trusted or untrusted. Also, encourage users to be critical about installing applications and to report any suspicious or unexpected behavior to the IT/security team.

Furthermore, mitigation strategies for software developers include, but are not limited to:

• Secure Key Management: Establish guidelines and procedures for code signing, including the use of secure signing infrastructure and proper key management practices to protect private keys used for signing applications, and regularly rotate them to minimize the impact of key compromise. Store private keys in secure hardware devices or cryptographic modules that provide tamper-resistant protection. This helps maintain control over the signing process and prevents unauthorized signing of applications. Organizations should also be prepared to revoke private keys if they are found to be compromised

• Ensure A Secure Software Development Lifecycle (SDLC): Incorporate secure coding practices and thorough security testing into the software development lifecycle and perform static code analysis, dynamic application testing, and vulnerability scanning to identify and mitigate security weaknesses early in the development process. By promoting secure coding practices, you can reduce the risk of unintentionally signing vulnerable or malicious software that can be leveraged by attackers

Conclusion

Application signing is a security practice that involves digitally signing software applications to ensure their authenticity and integrity. However, attackers can abuse application signing by stealing private keys, creating counterfeit applications, exploiting trusted executables, and using malicious DLLs.

Defending against rogue digital signatures requires a multi-layered approach, including deploying security products, leveraging threat intelligence services, implementing defense in depth, conducting vulnerability and patch management, educating users, and maintaining secure key management and a secure software development lifecycle.

Ready to strengthen your security posture against common exploits like application signing abuse? Contact us today for your free, zero-obligation quote.