Threat Research

I Solemnly Swear My Driver Is Up to No Good: Hunting for Attestation Signed Malware

Securonix

Attestation signing of drivers through the Windows Hardware Compatibility process is being abused to sign POORTRY and other malware samples with legitimate Microsoft certificates. The programName field in Authenticode data helps identify associated samples and reveals ties to multiple organizations, enabling rapid pivoting to related binaries. #POORTRY #TEMPLESHOT

Keypoints

  • POORTRY samples are linked to attestation-signed drivers using a Microsoft Windows Hardware Compatibility Publisher certificate.
  • The SpcSpOpusInfo programName field in Authenticode data provides vendor-identifying information that aids in discovering related malicious samples.
  • Many EV code signing certificates (notably from DigiCert and Globalsign) are observed signing POORTRY- and SOGU-related binaries, including TEMPLESHOT components.
  • Table-based analyses show numerous attestation-signed samples across multiple program names tied to Chinese organizations, particularly 大连纵梦网络科技有限公司.
  • MITRE-focused hunting uses YARA rules (Appendix A) to detect signed drivers and attestation-related artifacts; several signing-focused detections are documented.
  • Conclusion: Attestation signing is legitimate but can be abused to deliver malware; this mirrors prior disclosures by GData and BitDefender in 2021, with broader Abuse through signing services.

MITRE Techniques

  • [T1553.002] Code Signing – The attestation signing process signs binaries with Microsoft signing certificates, enabling trusted execution. “Attestation signing is a legitimate Microsoft program … signed with legitimate Microsoft certificates.”
  • [T1583.001] Acquire Capabilities – Threat actors advertise and obtain signing services/certificates to sign malware, including EV certificates from DigiCert/Globalsign. “Threat actors and services advertising … that claim to provide code signing certificates or sign malware on behalf of threat actors.”

Indicators of Compromise

  • [MD5] context – 6fcf56f6ca3210ec397e55f727353c4a, ee6b1a79cb6641aa44c762ee90786fe0, and 2 more hashes
  • [File Name] context – 4.sys, NodeDriver.sys
  • [Certificate Serial] context – 01:15:3e:7a:3c:8d:c5:0b:3d:23:c8:ba:31:d3:70:52, 33:00:00:00:57:ee:4d:65:9a:92:3e:7c:10:00:00:00:00:00:57
  • [Certificate Issuer] context – Digicert EV Code Signing CA, DigiCert EV Code Signing CA
  • [Program Name] context – 大连纵梦网络科技有限公司 (and related program names observed in samples)

Read more: https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint