While working on a sherlock from HackTheBox, I researched a tactic of threat actors abusing the Microsoft driver signing process to allow their malware to be digitally signed by Microsoft.

General Information

An example of this from the Google Cloud / Mandiant blog post:
VirusTotal – File – 4257ece19a9e4abc1eb251463bce623d2ac45afd0ed7939ba5e76ee9dbde2fa5

Detection page for the vpn.sys driver
Details tab on vpn.sys showing the valid certificate from Microsoft. Special attention to SpcSpOpusInfo

Using a tool such as Python’s Signify, you can easily parse the Program Name from a digitally signed executable on Windows or Linux. The program name, such as the 厦门恒信卓越网络科技有限公司 (Xiamen Hengxin Excellent Network Technology Co., Ltd.) in the above example can be used to detect other executables from the same organization that may also be malicious.

The Google Cloud / Mandiant article listed below also has a plethora of other examples of binaries that use the same program name. You can also find a similar list in this VirusTotal Collection or by pivoting off the above binary in Virus Total’s Threat Graph.

Resources

2022

2023

2024