A major cybercrime operation that misused Microsoft’s code-signing platform to distribute trusted malware has been disrupted, according to a new report released by the company’s threat intelligence team.
Microsoft said the group, tracked as Fox Tempest, exploited the company’s Artifact Signing service to generate fake code-signing certificates. These certificates were then used to make malicious software appear legitimate to users and operating systems.
The company revealed that the attackers created more than 1,000 certificates along with hundreds of Azure tenants and subscriptions to support the operation. Microsoft also confirmed that it has revoked all affected certificates and launched legal action in the US District Court for the Southern District of New York.
“Fox Tempest has created over a thousand certificates and established hundreds of Azure tenants and subscriptions to support its operations. Microsoft has revoked over one thousand code signing certificates attributed to Fox Tempest,” the company said.
Microsoft stated that the cybercrime platform operated through the domain signspace[.]cloud, which has now been seized. The company also shut down hundreds of virtual machines connected to the operation and blocked access to related infrastructure.
The malware-signing service reportedly helped cybercriminals sign ransomware and malware linked to operations such as Oyster, Lumma Stealer, Vidar, Rhysida, Akira, INC, Qilin, and BlackByte.
According to Microsoft, attackers used signed malware files disguised as trusted applications including Microsoft Teams, AnyDesk, PuTTY, and Webex.
“When unsuspecting victims executed the falsely named Microsoft Teams installer files, those files delivered a malicious loader, which in turn installed the fraudulently signed Oyster malware and ultimately deployed Rhysida ransomware,” the complaint stated.
The report also noted that the group allegedly used stolen identities from the US and Canada to pass verification checks and obtain signing credentials. The attackers mainly relied on short-lived certificates valid for 72 hours to avoid detection.
Microsoft further revealed that the service was promoted through a Telegram channel named “EV Certs for Sale by SamCodeSign,” with access reportedly priced between $5,000 and $9,000 in Bitcoin.
The company believes the operation generated millions of dollars and functioned as a highly organised cybercrime business.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream LinkedIn | The Mainstream Facebook | The Mainstream Youtube | The Mainstream Twitter
About us:
The Mainstream is a premier platform delivering the latest updates and informed perspectives across the technology business and cyber landscape. Built on research-driven, thought leadership and original intellectual property, The Mainstream also curates summits & conferences that convene decision makers to explore how technology reshapes industries and leadership. With a growing presence in India and globally across the Middle East, Africa, ASEAN, the USA, the UK and Australia, The Mainstream carries a vision to bring the latest happenings and insights to 8.2 billion people and to place technology at the centre of conversation for leaders navigating the future.