Microsoft Disrupts Fox Tempest's Malware-Signing Service

What Happened

Microsoft disrupted a malware-signing-as-a-service (MSaaS) operation that leveraged its Artifact Signing service to generate fraudulent code-signing certificates. These certificates allowed cybercriminals to masquerade ransomware and other malware as legitimate software. The disruption came after SecurityWeek and BleepingComputer reported the operation, which had been quietly enabling attacks for months.

The service, operated by a group known as Fox Tempest, provided attackers with the ability to sign malicious payloads with trusted Microsoft credentials. This made the malware appear safe to users, bypassing standard security controls. Microsoft’s move to block access to the service effectively cut off a key distribution channel for ransomware gangs.

The twist? The operation wasn’t a single attack but a persistent infrastructure. Cybercriminals used it to sign and distribute malware across multiple campaigns, including ransomware variants and stealers. This suggests a coordinated effort to exploit Microsoft’s trust in its signing process.

Confirmed Impact

The disruption has already disrupted several ransomware campaigns. SecurityWeek noted that the service was used to sign payloads for at least three distinct ransomware groups. These groups relied on the fraudulent certificates to bypass endpoint detection and response (EDR) tools, which typically flag unsigned executables.

The attack chain exploited the trust in Microsoft’s signing process. Attackers would download a malicious file, sign it with a forged certificate, and distribute it via phishing emails or compromised websites. Once executed, the malware could encrypt files or exfiltrate data without triggering alerts.

Worth noting: The service’s disruption doesn’t automatically remove existing malware from systems. Defenders must still hunt for signs of compromise, especially if the malware was already deployed before the service was taken down.

Actor Attribution

The group behind the service is identified as Fox Tempest, a known ransomware actor with ties to several high-profile attacks. While attribution in cybercrime is often murky, the scale and persistence of this operation suggest a well-resourced group.

Fox Tempest’s use of Microsoft’s signing infrastructure indicates a deep understanding of how trust is leveraged in software distribution. This isn’t a one-off exploit-it’s a tactic that highlights the broader risk of supply chain attacks.

That said, the exact scope of Fox Tempest’s activities remains unclear. SecurityWeek and BleepingComputer haven’t confirmed whether the group has other services or infrastructure under their control. This gap leaves room for further exploitation.

Defensive Guidance

Defenders should immediately check if their systems are still trusting certificates issued through Microsoft’s Artifact Signing service. This includes verifying the validity of code-signing certificates used by internal tools or third-party software.

A critical step is to audit logs for suspicious certificate signings. Use the following PowerShell query to check for unusual activity in the Windows Event Log:

Get-WinEvent -FilterXPath "EventID=6008 and SourceName='Microsoft-Windows-Security-Auditing'" | Format-Table TimeCreated, Message  

This command identifies events where certificates were used to sign files, which could indicate a compromised signing process.

Another opportunity lies in endpoint detection and response (EDR) tools. Configure them to flag unsigned executables or files with unexpected digital signatures. For example, a Sigma rule to detect suspicious certificate use:

title: Suspicious Microsoft Certificate Signing  
logsource:  
  product: windows  
detection:  
  selection:  
    EventID: 6008  
    Message: "Certificate used to sign file"  
  condition: selection  

This rule helps identify when a file was signed with a certificate that shouldn’t be trusted.

What Remains Unclear

The full extent of Fox Tempest’s operations is still under investigation. While Microsoft disrupted the service, it’s unclear if the group has other infrastructure or services that could be used for future attacks.

Another gap is the timeline of the disruption. SecurityWeek and BleepingComputer report the service was taken down, but they don’t specify when or how. This lack of detail makes it harder to assess the immediate impact on ongoing attacks.

Also unclear is whether other vendors’ signing services are similarly vulnerable. While Microsoft’s case is significant, it’s possible other platforms are being exploited in similar ways.