Microsoft’s researchers have established clear links between the group running this operation, which it calls Fox Tempest, and ransomware affiliates who worked with gangs such as INC, Qilin, Akira, and Rhysida.
One ransomware group tracked as Vanilla Tempest used the code-signing service to create malcious installers for common enterprise software, such as AnyDesk, Microsoft Teams, Putty, and Webex. These fake but digitally signed installers were distributed via SEO poisoning and malvertising and were used to deploy a variety of backdoors, infostealers, and ransomware programs.
“This case points to how cybercrime is changing,” Steven Masada, assistant general counsel with Microsoft’s Digital Crimes Unit, said in a blog post. “What once required a single group to carry out an attack from start to finish is now broken into a modular ecosystem where services are bought and sold and work interchangeably with one another. Some services are inexpensive and widely used. Others, like Fox Tempest, are highly specialized and expensive because they remove friction or bypass obstacles that make attacks fail, making them both more reliable and harder to detect.”
Code signing at scale
The value of digitally signing executable files is that Microsoft Defender SmartScreen will display weaker warnings for downloaded files, or no warning at all if the file has built up a clean reputation over time. For attacks that rely on users executing rogue installers that masquerade as popular applications, having no scary warnings is a big advantage.
