Microsoft disrupts cybercrime service offering malware disguised as legitimate software

Samuel Boivin/NurPhoto via Getty Images

Featured eBooks
Health Tech
Read Now

CDM

Read Now

Future-Ready Workforce

Read Now
Insights & Reports
The Cloud Isn't Enough: Why Federal AI Demands Its Own Factory
Presented By Sterling
Download Now
Google Pixel and T-Mobile for Government
Presented By T-Mobile
Download Now
David DiMolfetta By David DiMolfetta,
Cybersecurity Reporter, Nextgov/FCW

By David DiMolfetta

|

The downstream impact of that service’s operations “has resulted in attacks against a broad range of industry sectors” in the U.S. and other nations, the company said.

Microsoft on Tuesday took actions against a “malware-signing-as-a-service” provider that has helped criminal hackers evade security defenses designed to check whether software is legitimate.

The group, dubbed Fox Tempest, was found to be abusing Microsoft code signing tools that validate whether software has been tampered with. Microsoft said it seized Fox Tempest’s website, took down hundreds of virtual machines running its operation and blocked access to another site that hosted underlying code used by the group.

Microsoft also unsealed a legal case in New York that targeted the group, and named another ransomware gang known as Vanilla Tempest as a co-conspirator.

Normally, software signing certificates are meant to prove a program is safe upon download and installation. Operations like Fox Tempest are often sought after in the cybercriminal world because they can be paid to bless hackers’ malware with a valid-looking signature to help it evade detection.

Fox Tempest has been operating its malware disguise services since May of last year, Microsoft said. The downstream impact of its operations — which have let other criminal hackers distribute ransomware and other malicious packages — “has resulted in attacks against a broad range of industry sectors, including healthcare, education, government, and financial services” in the U.S., France, India and China, the company said in an assessment of the group.

Hackers paid thousands of dollars to get their malicious code signed by Fox Tempest, with higher-paying plans receiving priority, the company added.

Illicit code-signing tools have been exchanged for years, but “what’s changed is how this activity is marketed, packaged and sold as a service, along with the scale at which it is now used across ransomware campaigns,” Microsoft’s Digital Crimes Unit assistant general counsel Steven Masada said in a prepared statement.

“When attackers can make malicious software look legitimate, it undermines how people and systems decide what’s safe. Disrupting that capability is key to raising the cost of cybercrime,” he said. 

NEXT STORY: Trump says he and Xi discussed cyberattacks and spying between US, China