Stolen digital certificates at the center of a new malware campaign made the malicious software appear safe before...
it stole user passwords.
An espionage group used stolen digital certificates to sign Plead backdoor malware and a password stealer component used in attacks in East Asia, according to Anton Cherepanov, senior malware researcher at ESET. The password stealer targeted Google Chrome, Mozilla Firefox and Internet Explorer browsers, as well as Microsoft Outlook.
Cherepanov determined the certificates were likely stolen because the malware code was signed with the "exact same certificate ... used to sign non-malicious D-Link software."
"Recently, the JPCERT published a thorough analysis of the Plead backdoor, which, according to Trend Micro, is used by the cyberespionage group BlackTech," Cherepanov wrote in a blog post. "Along with the Plead samples signed with the D-Link certificate, ESET researchers have also identified samples signed using a certificate belonging to a Taiwanese security company named Changing Information Technology Inc. Despite the fact that the Changing Information Technology Inc. certificate was revoked on July 4, 2017, the BlackTech group is still using it to sign their malicious tools."
ESET researchers contacted D-Link about the stolen digital certificates, and D-Link revoked the compromised certificate on July 3.
Cherepanov said this case was different from recent issues with compromised SSL certificates because the stolen digital certificates were used to sign malicious files, and "unlike SSL certificates, the code signing certificates can't be obtained for free."
"Misusing digital certificates is one of the many ways cybercriminals try to mask their malicious intentions -- as the stolen certificates let malware appear like legitimate applications, the malware has a greater chance of sneaking past security measures without raising suspicion," Cherepanov wrote via email. "This technique also helps attackers to circumvent native/built-in protective measures of the OS based on the validity of these certificates. Also noteworthy, certificates from a Taiwan-based company were stolen and misused by Stuxnet."
Kevin Bocek, vice president of security strategy and threat intelligence at Venafi, said "there's no doubt we're going to see a lot more of these attacks in the future," where machine identities and stolen digital certificates are being abused by malicious actors.
"Code signing certificates are a method to ensure the identity of the code developer. Ideally, they verify that the software has been published by a trusted company. They also double-check the software to ensure that it hasn't degraded, become corrupted, or been tampered with," Bocek wrote via email. "Because of the power of these certificates, if they fall into the wrong hands they can be the ultimate 'keys to the kingdom'. Any attacker or developer with malicious intent can obtain a private key for code signing if they really want to. What deters most of them is that they have to register with the [certificate authority] to obtain one, which makes it much easier to identity them if they distribute malicious code. This is why there is a thriving black market for stolen code-signing certificates."