Home > Cyber News > Valid D-Link Certificate Used by Plead Malware Campaigns

Valid D-Link Certificate Used by Plead Malware Campaigns

A new malware campaign leveraging stolen digital certificates has been discovered by security researchers at cybersecurity firm ESET. The researchers spotted the malware campaign when some of their systems marked several files as suspicious.

Related Story: Malware Trends 2018: How Is the Threat Landscape Shaping?

Plead Malware Using the Stolen Certificates

It turned out that the flagged files were digitally signed via a valid D-Link Corporation code-signing certificate. The exact same certificate had been used to sign non-malicious D-Link software meaning that the certificate was most likely stolen, the researchers said in their report.

Having confirmed the file’s malicious nature, we notified D-Link, who launched their own investigation into the matter. As a result, the compromised digital certificate was revoked by D-Link on July 3, 2018.

The analysis showed that there are two different malware families abusing the certificate – Plead malware which is a remotely controlled backdoor, and a related password stealing component. According to researchers from TrendMicro, the Plead backdoor is used by a cyber-espionage group known as BlackTech.

Along with the Plead malware samples signed with the stolen D-Link certificate, samples signed via a certificate by a Taiwanese security company, Changing Information Technology Inc, have also been discovered. It appears that the BlackTech hackers are still using the certificate even though it was revoked on July 4, 2017, a year ago.

The ability to compromise several Taiwan-based technology companies and reuse their code-signing certificates in future attacks shows that this group is highly skilled and focused on that region, the researchers noted.

It should be noted that “the signed Plead malware samples are highly obfuscated with junk code, but the purpose of the malware is similar in all samples: it downloads from a remote server or opens from the local disk a small encrypted binary blob“. The binary blob contains encrypted shellcode, which serves to download the final Plead backdoor module.

As for the the password stealer component, it is used specifically to harvest saved passwords from the following list of popular applications:

  • Google Chrome
  • Microsoft Internet Explorer
  • Microsoft Outlook
  • Mozilla Firefox

Stolen Certificates in Malware Distribution Still a Trend

Last year researchers at Venafi discovered that the illegal trade of digital code signing certificates was blooming. The certificates are mostly used to verify software products, proving their status as legitimate. If compromised, these certificates can be deployed to install malware on devices and networks without being detected.

Related Story: Stolen Code Signing Certificates Are the Hottest Dark Web Trend

The proof that there is now a significant criminal market for certificates throws our whole authentication system for the internet into doubt and points to an urgent need for the deployment of technology systems to counter the misuse of digital certificates, researchers said.

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

This website uses cookies to improve user experience. By using our website you consent to all cookies in accordance with our Privacy Policy.
I Agree