A new malware campaign leveraging stolen digital certificates has been discovered by security researchers at cybersecurity firm ESET. The researchers spotted the malware campaign when some of their systems marked several files as suspicious.
Plead Malware Using the Stolen Certificates
It turned out that the flagged files were digitally signed via a valid D-Link Corporation code-signing certificate. The exact same certificate had been used to sign non-malicious D-Link software meaning that the certificate was most likely stolen, the researchers said in their report.
Having confirmed the file’s malicious nature, we notified D-Link, who launched their own investigation into the matter. As a result, the compromised digital certificate was revoked by D-Link on July 3, 2018.
The analysis showed that there are two different malware families abusing the certificate – Plead malware which is a remotely controlled backdoor, and a related password stealing component. According to researchers from TrendMicro, the Plead backdoor is used by a cyber-espionage group known as BlackTech.
Along with the Plead malware samples signed with the stolen D-Link certificate, samples signed via a certificate by a Taiwanese security company, Changing Information Technology Inc, have also been discovered. It appears that the BlackTech hackers are still using the certificate even though it was revoked on July 4, 2017, a year ago.
The ability to compromise several Taiwan-based technology companies and reuse their code-signing certificates in future attacks shows that this group is highly skilled and focused on that region, the researchers noted.
It should be noted that “the signed Plead malware samples are highly obfuscated with junk code, but the purpose of the malware is similar in all samples: it downloads from a remote server or opens from the local disk a small encrypted binary blob“. The binary blob contains encrypted shellcode, which serves to download the final Plead backdoor module.
As for the the password stealer component, it is used specifically to harvest saved passwords from the following list of popular applications:
- Google Chrome
- Microsoft Internet Explorer
- Microsoft Outlook
- Mozilla Firefox
Stolen Certificates in Malware Distribution Still a Trend
Last year researchers at Venafi discovered that the illegal trade of digital code signing certificates was blooming. The certificates are mostly used to verify software products, proving their status as legitimate. If compromised, these certificates can be deployed to install malware on devices and networks without being detected.
The proof that there is now a significant criminal market for certificates throws our whole authentication system for the internet into doubt and points to an urgent need for the deployment of technology systems to counter the misuse of digital certificates, researchers said.