Hanqing Zhao (Tsinghua University & QI-ANXIN Technology Research Institute), Yiming Zhang (Tsinghua University), Lingyun Ying (QI-ANXIN Technology Research Institute), Mingming Zhang (Zhongguancun Laboratory), Baojun Liu (Tsinghua University), Haixin Duan (Tsinghua University), Zi-Quan You (Tsinghua University), Shuhao Zhang (QI-ANXIN Technology Research Institute)
Using digital certificates to sign software is an important protection for its trustworthiness and integrity. However, attackers can abuse the mechanism to obtain signatures for malicious samples, aiding malware distribution. Despite existing work uncovering instances of code-signing abuse, the problem persists and continues to escalate. Understanding the evolution of the ecosystem and the strategies of abusers is vital to improving defense mechanisms.
In this work, we conducted a large-scale measurement of code-signing abuse using 3,216,113 signed malicious PE files collected from the wild.
Through fine-grained classification, we identified 43,286 abused certificates and categorized them into five abuse types, creating the largest labeled dataset to date. Our analysis revealed that abuse remains widespread, affecting certificates from 114 countries issued by 46 Certificate Authorities (CAs). We also observed the evolution of abuser techniques and identified current limitations in certificate revocation. Furthermore, we characterized abusers' behaviors and strategies, uncovering five tactics to evade detection, reduce costs and enhance abusing impact. Notably, we uncovered 3,484 polymorphic certificate clusters and, for the first time, documented real-world instances of malware leveraging polymorphism to evade revocation checks. Our findings expose critical flaws in current code-signing practices, and are expected to raise community awareness of the abuse threats.