Microsoft said on Tuesday it disrupted a malware-signing-as-a-service operation that abused its Artifact Signing platform to generate fraudulent certificates used by ransomware gangs and other cybercriminals. The company said the operation created more than 1,000 certificates and hundreds of Azure tenants and subscriptions.
KEY FACTS
- Platform abuse The operation used Microsoft Artifact Signing to make malware appear legitimate.
- Scale Microsoft said it revoked over 1,000 code-signing certificates linked to the scheme.
- Disruption The company seized the signspace[.]cloud domain and took hundreds of virtual machines offline.
- Targets Signed files were tied to Oyster, Lumma Stealer, Vidar and ransomware operations including Rhysida, Akira, INC, Qilin and BlackByte.
In a Microsoft Threat Intelligence report, the company said the threat actor tracked as Fox Tempest used the cloud service to issue short-lived certificates that were valid for 72 hours. Microsoft said the abuse let malware be digitally signed and initially treated as legitimate by Windows and users.
The report said the operation ran through signspace[.]cloud and gave customers a way to upload malicious files for code signing using fraudulently obtained credentials. Microsoft also said the platform was promoted on a Telegram channel and that access cost between $5,000 and $9,000 in bitcoin.
Microsoft said the signed files were used to impersonate software such as Microsoft Teams, AnyDesk, PuTTY and Webex. In one example cited in the complaint, a falsely named Teams installer delivered Oyster malware and then Rhysida ransomware.
The disclosure said the operators likely used stolen identities from the United States and Canada to pass identity checks for Artifact Signing. It also said Microsoft linked the service to Vanilla Tempest and named that ransomware operation as a co-conspirator in the legal action.
WHY IT MATTERS
The case shows how attackers can turn trusted signing systems into delivery tools for malware and ransomware. It also highlights the challenge of detecting short-lived certificates before they are used in campaigns that can look legitimate at first glance.