To evade detection by security software, malware developers and threat actors increasingly use compromised code-signing certificates to sign their malware.
This trend was illustrated this week when Microsoft disclosed during the December Patch Tuesday that developer accounts were compromised to sign malicious, kernel-mode hardware drivers in the Windows Hardware Developer Program.
As Microsoft signed these drivers, it allowed them to be loaded into Windows and gain the highest level of privileges in the operating system.
These drivers were used as part of a toolkit consisting of STONESTOP (loader) and POORTRY (driver) malware that disabled protected security software processes and Windows services running on the computer.
Coordinated reports from Microsoft, Mandiant, Sophos, and SentinelOne indicated that multiple threat actors used malware signed using these compromised accounts, including the Hive and Cuba ransomware operations.
Microsoft also fixed a Windows Mark of the Web zero-day vulnerability that threat actors actively exploited in malware distribution campaigns, including those for Magniber Ransomware and QBot.
Other research released this week includes: