A new malware campaign that misuses a stolen digital certificate has been identified security researchers at ESET. They found that crooks had acquired code-signing certificates from router and camera maker D-Link.
The malware attack was discovered when they received suspicious files containing valid D-Link Corporation code-signing certifications.
Chief cybersecurity officer at Venafi, Kevin Bocek told Computer Business Review: “If you steal trusted machine identities from global technology companies, you can execute highly effective attacks that don’t raise any alarms.”
ESET identified two different types of malware that were utilising the stolen certification. “The Plead malware, a remotely controlled backdoor, and a related password stealer component,” they stated in their blog.
Cybersecurity analysts Trend Micro have named the hacker group Blacktech as the source of the Plead malware. Blacktech is a cyber espionage group that mainly operates in East Asia and Japan, with a particular focus on businesses in Taiwan.
Trend Micro said on their security blog that Blacktech’s “toolset includes the self-named PLEAD backdoor and the DRIGO exfiltration tool. PLEAD uses spear-phishing emails to deliver and install their backdoor, either as an attachment or through links to cloud storage services.”
Stealing Certifications
A digital certification is issued by an organisation whose security reputation is tied to it. A Certification Authority will only issues certification cryptography keys to trusted parties.
So the misuse of a certification leaves system and people vulnerable to malware attacks.
Kevin Bocek told us: “The scale of the problem is huge – every single computer, mobile or IoT device looks for a code signing certificate to ensure that the software it runs is trusted.”
“Hackers know this, and are increasingly looking to exploit this system of trust to spread malware; there are almost 25 million pieces of malware that appear trusted because they are legitimately signed by code signing certificates.”
The best known malware to have used several stolen digital certificates is the Stuxnet worm, discovered in 2010.
Stuxnet used digital certificates stolen from RealTek and JMicron, both well known technology companies based in Taiwan.
The report comes after Computer Business Review reported that the vast majority of third-party security products for Apple have long been susceptible to being tricked into thinking malicious code is Apple-approved, as security researchers at software company Okta found.