Stolen D-Link Certificates Spreads Backdoor Malware
A new hacking campaign discovered recently makes use of stolen D-Link certificates to spread backdoor malware.
Cybersecurity researchers at ESET have spotted the new malware campaign when their systems started marking many files as suspicious. Since the flagged files were digitally signed using a legitimate D-Link Corporation code-signing certificate, it made the researchers more suspicious.
A blog post written by ESET Senior Malware Researcher Anton Cherepanov explains how they spotted the new malware, following which they notified D-Link, which revoked the compromised digital certificate. The post, dated 9 July 2018, says- “We spotted this malware campaign when our systems marked several files as suspicious. Interestingly, the flagged files were digitally signed using a valid D-Link Corporation code-signing certificate. The exact same certificate had been used to sign non-malicious D-Link software; therefore, the certificate was likely stolen…Having confirmed the file’s malicious nature, we notified D-Link, who launched their own investigation into the matter. As a result, the compromised digital certificate was revoked by D-Link on July 3, 2018.”
It’s speculated that the group behind the attack is BlackTech, a rather lesser-known cyber-espionage group that targets companies and organizations in Asia, focusing those in Japan, Hong Kong and Taiwan.
The researchers have identified the main malware family in this campaign as PLEAD, which downloads from a remote server or opens from a local disk a small encrypted binary blob. This encrypted binary blob would have encrypted shellcode; this downloads the full backdoor module. The researchers have also spotted a password stealer that is signed using the certificate and which is used to exfiltrate passwords from Google Chrome, Mozilla Firefox, Microsoft Internet Explorer and Microsoft Outlook.
The ESET blog post says- “Our analysis identified two different malware families that were misusing the stolen certificate – the Plead malware, a remotely controlled backdoor, and a related password stealer component. Recently, the JPCERT published a thorough analysis of the Plead backdoor, which, according to Trend Micro, is used by the cyberespionage group BlackTech.”
The blog post further says- “Along with the Plead samples signed with the D-Link certificate, ESET researchers have also identified samples signed using a certificate belonging to a Taiwanese security company named Changing Information Technology Inc…Despite the fact that the Changing Information Technology Inc. certificate was revoked on July 4, 2017, the BlackTech group is still using it to sign their malicious tools…The ability to compromise several Taiwan-based technology companies and reuse their code-signing certificates in future attacks shows that this group is highly skilled and focused on that region.”
Using stolen digital certificates to sign malicious software and then carrying out malware campaigns- that’s not at all a new trend. Digital certificates are issued to confirm the legitimacy and security of files and software. Hackers who steal such digital certificates can sign malicious certificates with the same so as to make them appear legitimate. Thus they would be able to circumvent standard cybersecurity programs and spread malware to systems and networks.
The ESET blog post says- “Probably the most infamous malware known to have used several stolen digital certificates is the Stuxnet worm, discovered in 2010 and the malware behind the very first cyberattack to target critical infrastructure. Stuxnet used digital certificates stolen from RealTek and one from JMicron, two well-known technology companies based in Taiwan.”
The post adds, as a concluding remark- “However, the tactic is not exclusive to high-profile incidents like Stuxnet, as evidenced by this recent discovery.”