D-Link and Changing Information Technologies certificates were used to sign malware.

    ESET discovered a new cyber campaign, which uses stolen certificates to sign code. Digital certificates from D-Link Corporation and Changing Information Technologies have been stolen by a highly skilled cyber espionage team focused on East Asia.

    We recorded a malicious campaign when our systems marked several files as suspicious. Interestingly, the marked files were digitally signed with a valid certificate from D-Link Corporation. The same certificate was used to sign legitimate D-Link software; most likely this certificate has been stolen.

    After confirming the harmfulness of the file, we reported a problem in D-Link, which began its own investigation. As a result, on July 3, the company revoked the compromised digital certificate.

    Figure 1. The D-Link digital certificate is used to sign malware.

    Malicious software

    In the course of the study, we found two families of malware using stolen certificates - a backdoor to remotely control the target device and its associated component to steal passwords. JPCERT recently published a detailed analysis of the Plead backdoor; according to Trend Micro, it is used by the BlackTech cyber spy group .

    In addition to the D-Link digital signature Plead samples, we identified samples signed by the Taiwanese security company Changing Information Technology Inc.

    Figure 2. Digital Certificate Changing Information Technology Inc. used to sign malware

    Certificate of Changing Information Technology Inc. recalled on July 4, 2017, but the BlackTech group still uses it to sign its malicious tools.

    The possibility of compromising several Taiwanese technology companies and reusing their certificates in new attacks demonstrates the high qualification of the cyber group and its interest in the region.

    The signed Plead samples are strongly obfuscated using the garbage code, but the purpose of malware is the same for all samples — download from a remote server or open a small, encrypted binary blob from a local disk. It contains an encrypted shellcode that loads the final Plead backdoor module.

    Figure 3. Obfuscated Plead backdoor code

    The password theft tool is used to collect saved passwords in the following applications:

    - Google Chrome
    - Microsoft Internet Explorer
    - Microsoft Outlook
    - Mozilla Firefox

    Why steal digital certificates?

    Using stolen digital certificates is one way to disguise. Certificates help malware look legitimate and therefore bypass protection without arousing suspicion.

    Probably the most well-known malware that used several “alien” certificates - Stuxnet , discovered in 2010 and known as the first cyber weapon, focused on critical infrastructure. Stuxnet used digital certificates stolen from RealTek and JMicron, well-known technology companies from Taiwan.

    However, this tactic is not exceptional for such large-scale incidents as Stuxnet, as evidenced by the latest discovery.

    Indicators of compromise:

    Detection by ESET products:
    Win32 / PSW.Agent.OES trojan
    Win32 / Plead.L trojan
    Win32 / Plead.S trojan
    Win32 / Plead.T trojan
    Win32 / Plead.U trojan
    Win32 / Plead.V trojan
    Win32 / Plead.X trojan
    Win32 / trojan Plead.Y
    Win32 / Plead.Z trojan

    Unsigned samples (SHA-1):

    signed samples (SHA-1):

    C & C-servers:
    [.] Amazon.panasocin com
    [.] Office.panasocin com
    [.] Okinawas.ssl443 org

    certificate serial number for the code signature:
    D-Link Corporation:
    13: 03: 03: E4: 57: 0c : 27: 29: 09: E2: 65: Dd: B8: 59: De: Ef
    Changing Information Technology Inc .: 73: 65: ED: E7: F8: FB: B1: 47: 67: 02: D2: 93: 08: 39: 6F: 51
    1E: 50: CC: 3D: D3: 9B: 4A: CC: 5E: 83: 98: CC: D0: DD: 53: EA

    Also popular now: