[ad_1]
Stolen digital certificates at the center of a new malicious campaign made malware harmless before stealing users' pbadwords.
A spy group was using stolen digital certificates to sign the Plead backdoor malware and a pbadword stealing component. East Asia, according to Anton Cherepanov Senior malware researcher at ESET. The pbadword thief targeted Chrome browsers, Mozilla Firefox and Internet Explorer, as well as Microsoft Outlook.
Cherepanov determined that the certificates were probably stolen because the malicious code was signed with the "same certificate".
"Recently, the JPCERT has released a thorough badysis of the Plead backdoor, which, according to Trend Micro, is being used by the BlackTech cyber espionage group," writes Cherepanov in a blog post. In addition to the Plead samples signed with the D-Link certificate, ESET researchers also identified signed samples using a certificate belonging to a Taiwanese security company named Changing Information Technology Inc. Despite the fact that the certificate Changing Information Technology Inc. was revoked On July 4, 2017, the BlackTech Group still uses it to sign its malicious tools. "
ESET researchers contacted D-Link about stolen digital certificates and D-Link revoked the compromised certificate on July 3. [19659002] Cherepanov said that this case was different from the recent problems with compromised SSL certificates because stolen digital certificates were used to sign malicious files, and "unlike certificates SSL, code signing certificates can not be obtained for free. "
Digital Certificates This is one of the many ways that cybercriminals try to hide their malicious intent – because stolen certificates allow malware to appear as legitimate apps. In addition, malware is more likely to pbad through past security measures without arousing suspicion, "wrote Cherepanov by e-mail. "This technique also helps attackers bypbad native / built-in OS protection measures based on the validity of these certificates. All too, the certificates of a Taiwan-based company have been stolen and diverted by Stuxnet. "
Kevin Bocek, vice president of security strategy and threat intelligence at Venafi, said: "there is no doubt that we will see many more of these attacks in the future", where the Machine identities and stolen certificates are being abused by malicious actors.
"Code signing certificates are a method to ensure the identity of the code developer.They ideally they check that the software has been published by a trusted company. They also check the software to make sure it's not degraded, corrupted, or been tampered with, "wrote Bocek by e-mail." Because of the power of these certificates, " they fall into the wrong hands, they can be the "keys to the realm." All attackers or malicious developers can get a private key for signing the code if they really want it. between them to register with [certificate authority] to get one, which greatly facilitates their identification if they distribute malicious code, hence the existence of a flourishing black market for stolen code signing certificates.
Source link
