Cybercriminals are misusing Microsoft’s Trusted Signing service to code-sign malware using short-lived three-day certificates, making malicious files appear legitimate.
Code-signing certificates help bypass security filters that might otherwise flag unsigned executables as suspicious. Extended Validation (EV) certificates are especially valuable to attackers since they receive higher trust ratings in cybersecurity systems and SmartScreen reputation, though they are difficult to obtain and often revoked after being misused.
Instead, hackers have turned to Microsoft's Trusted Signing service, launched in 2024, which allows developers to sign their programs via a cloud-based system without directly issuing certificates to them. The service provides a SmartScreen reputation boost, and its short-lived certificates make abuse harder to sustain long-term.
Researchers discovered malware signed with "Microsoft ID Verified CS EOC CA 01", including samples from Crazy Evil Traffers and Lumma Stealer campaigns. Even after expiration, signed executables remain valid until the certificate is officially revoked.
The easier verification process compared to EV certificates has likely contributed to attackers’ shift toward Microsoft’s signing service. While Microsoft only allows company-based certificates for businesses operating for at least three years, individuals can sign up more easily, which may facilitate abuse.
Microsoft responded by stating it actively monitors for misuse, revokes certificates when threats are detected, and has already taken action against the identified malware samples.
Logging you in...
Loading IntenseDebate Comments...