View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

Stolen Code-Signing Certificate Used in Malware Attack

Certification misuse can fool IT system into accepting malware

By CBR Staff Writer

A new malware campaign that misuses a stolen digital certificate has been identified security researchers at ESET. They found that crooks had acquired code-signing certificates from router and camera maker D-Link.

The malware attack was discovered when they received suspicious files containing valid D-Link Corporation code-signing certifications.

Chief cybersecurity officer at Venafi, Kevin Bocek told Computer Business Review: “If you steal trusted machine identities from global technology companies, you can execute highly effective attacks that don’t raise any alarms.”

ESET identified two different types of malware that were utilising the stolen certification. “The Plead malware, a remotely controlled backdoor, and a related password stealer component,” they stated in their blog.

Cybersecurity analysts Trend Micro have named the hacker group Blacktech as the source of the Plead malware. Blacktech is a cyber espionage group that mainly operates in East Asia and Japan, with a particular focus on businesses in Taiwan.

Trend Micro said on their security blog that Blacktech’s “toolset includes the self-named PLEAD backdoor and the DRIGO exfiltration tool. PLEAD uses spear-phishing emails to deliver and install their backdoor, either as an attachment or through links to cloud storage services.”

Stealing Certifications

A digital certification is issued by an organisation whose security reputation is tied to it. A Certification Authority will only issues certification cryptography keys to trusted parties.

Content from our partners
How to turn the evidence hackers leave behind against them
Why food manufacturers must pursue greater visibility and agility
How to define an empowered chief data officer

So the misuse of a certification leaves system and people vulnerable to malware attacks.

Kevin Bocek told us: “The scale of the problem is huge – every single computer, mobile or IoT device looks for a code signing certificate to ensure that the software it runs is trusted.”

“Hackers know this, and are increasingly looking to exploit this system of trust to spread malware; there are almost 25 million pieces of malware that appear trusted because they are legitimately signed by code signing certificates.”

The best known malware to have used several stolen digital certificates is the Stuxnet worm, discovered in 2010.

Stuxnet used digital certificates stolen from RealTek and JMicron, both well known technology companies based in Taiwan.

The report comes after Computer Business Review reported that the vast majority of third-party security products for Apple have long been susceptible to being tricked into thinking malicious code is Apple-approved, as security researchers at software company Okta found.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.