Exposing Fox Tempest: A malware-signing service operation
Fox Tempest is a financially motivated threat actor providing malware-signing-as-a-service (MSaaS) to the cybercrime ecosystem. By abusing Microsoft Artifact Signing via stolen identities, they generate short-lived, fraudulent code-signing certificates that allow threat actors like Vanilla Tempest to bypass security controls and deploy payloads such as the Oyster backdoor and Rhysida ransomware.
Authors: Microsoft Threat Intelligence, Microsoft Digital Crimes Unit (DCU)
Source:
Microsoft
- domainsignspace[.]cloudDefunct web portal used by Fox Tempest to provide malware-signing-as-a-service.
- filenameMSTeamsSetup.exeFraudulently signed fake Microsoft Teams installer used by Vanilla Tempest to deploy the Oyster backdoor.
Detection / HunterGoogle
What Happened
Cybercriminals known as Fox Tempest are running a service that helps other hackers make their malicious software look like legitimate, trusted applications by fraudulently obtaining digital certificates. Organizations globally across various sectors are affected, as well as individuals who download what they think is legitimate software like Microsoft Teams. This matters because it allows dangerous software, including ransomware, to bypass standard security defenses and infect computers more easily. Organizations should ensure their security tools are updated, use cloud-delivered protection, and enforce strict policies against tampering with antivirus software.
Key Takeaways
- Fox Tempest operates a malware-signing-as-a-service (MSaaS) that abuses Microsoft Artifact Signing to generate short-lived, fraudulent code-signing certificates.
- The service enables ransomware operators like Vanilla Tempest to bypass security controls by signing malware to appear as legitimate software (e.g., Microsoft Teams).
- Fox Tempest's infrastructure evolved from a web portal (signspace.cloud) to providing customers with pre-configured VMs hosted on Cloudzy.
- Vanilla Tempest utilized this service to sign fake Microsoft Teams installers that deploy the Oyster backdoor and subsequently Rhysida ransomware.
- Microsoft disrupted the signspace.cloud infrastructure and revoked over a thousand fraudulent certificates.
Affected Systems
- Windows endpoints
- Azure tenants (abused for infrastructure creation)
Attack Chain
Fox Tempest obtains fraudulent Azure tenants and uses Microsoft Artifact Signing to generate short-lived code-signing certificates. Threat actors like Vanilla Tempest purchase this service to sign malicious payloads, such as a fake Microsoft Teams installer (MSTeamsSetup.exe). Victims download the signed installer via malvertising or SEO poisoning, which executes and deploys the Oyster backdoor. Oyster establishes persistence via scheduled tasks, communicates with C2, and ultimately deploys Rhysida ransomware.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
- Platforms: Microsoft Defender Antivirus, Microsoft Defender for Endpoint
Microsoft provides built-in detections for the malware families distributed using Fox Tempest's service, including Oyster, LummaStealer, Vidar, and various ransomware families, via Microsoft Defender Antivirus and Defender for Endpoint.
Detection Engineering Assessment
EDR Visibility: High — EDR solutions can detect the execution of fake installers, the dropping of secondary payloads (Oyster DLL), and the creation of scheduled tasks for persistence. Network Visibility: Medium — Network visibility can identify downloads from suspicious domains (SEO poisoning/malvertising) and C2 communications from the Oyster backdoor, though the initial download may appear as a legitimate signed binary. Detection Difficulty: Moderate — The use of valid (though fraudulently obtained) code-signing certificates makes initial detection difficult for traditional AV relying on signature/trust checks, requiring behavioral analysis to catch the post-execution activity.
Required Log Sources
- Process Creation (Event ID 4688 / Sysmon 1)
- File Creation (Sysmon 11)
- Scheduled Task Creation (Event ID 4698)
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Consider hunting for the execution of common installer names (e.g., MSTeamsSetup.exe) that drop unrecognized DLLs or create scheduled tasks shortly after execution. | Process creation, File creation, Scheduled task creation | Execution / Persistence | Medium (Legitimate installers also create scheduled tasks and drop DLLs, requiring baseline comparison of the specific dropped files and task parameters). |
| If you have visibility into certificate details, consider hunting for binaries signed by 'Microsoft ID Verified CS EOC CA 01' that exhibit suspicious network connections or child processes. | File metadata (Signature/Issuer), Process creation, Network connections | Defense Evasion / Execution | High (This CA may issue legitimate certificates; correlation with behavioral anomalies is required). |
Control Gaps
- Over-reliance on digital signatures for execution trust
- Lack of tamper protection on endpoint security agents
Key Behavioral Indicators
- Execution of MSTeamsSetup.exe leading to unexpected DLL loads
- Scheduled task creation by recently downloaded installers
- Local admin account creation using Net commands
False Positive Assessment
- Medium. The primary evasion technique relies on valid digital signatures, meaning alerting purely on the signature issuer will likely cause false positives. Detections must focus on the behavioral chain (e.g., fake installer dropping a backdoor).
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting.
- Ensure cloud-delivered protection is enabled in your endpoint security product to block new and unknown malware variants.
- Evaluate whether tamper protection features are enabled to prevent attackers from disabling security services or modifying exclusions.
Infrastructure Hardening
- Consider enabling Attack Surface Reduction (ASR) rules to block executable files from running unless they meet a prevalence, age, or trusted list criterion.
- If using Intune or Defender, consider enabling DisableLocalAdminMerge to prevent modification of antivirus exclusions via Group Policy.
User Protection
- Encourage the use of web browsers that support reputation-based blocking (like SmartScreen) to prevent access to malvertising and SEO-poisoned sites.
- Evaluate enabling Safe Links and Safe Attachments in your email security gateway.
Security Awareness
- Educate users on the risks of downloading software from unofficial sources or search engine advertisements, even if the application appears to be a trusted brand like Microsoft Teams.
MITRE ATT&CK Mapping
- T1588.003 - Obtain Capabilities: Code Signing Certificates
- T1553.002 - Subvert Trust Controls: Code Signing
- T1036.005 - Masquerading: Match Legitimate Name or Location
- T1053.005 - Scheduled Task/Job: Scheduled Task
- T1566.002 - Phishing: Spearphishing Link
Additional IOCs
- File Paths:
C:\sign\metadata.json- Configuration file pointing to an Azure-hosted endpoint for signing, found on Fox Tempest VMs.C:\sign\PS code sample.txt- PowerShell script used to sign customer-submitted files, found on Fox Tempest VMs.C:\sign\test.js- Example file provided by Fox Tempest to demonstrate signing capabilities to customers.
- Other:
arbadakarba2000- Telegram user account associated with Fox Tempest's EV Certs for Sale channel.EV Certs for Sale by SamCodeSign- Telegram channel used by Fox Tempest to engage with customers.Microsoft ID Verified CS EOC CA 01- Issuer name observed on fraudulent certificates generated by Fox Tempest.