ESET discovers a malicious campaign that stole digital certificates from D-Link

ESET Research Laboratory, a proactive threat detection company, identified that a cyber espionage group has stolen and used digital certificates from Taiwanese technology companies such as D-Link and Changing Information Technologies.

ESET discovered the malware campaign when their systems detected several suspicious files. They were digitally signed using a valid certificate for signing the code belonging to D-Link Corporation. What has been identified is that the same certificate was used to sign legitimate D-Link software, which proved the possibility of stealing the certificate.

The analysis identified two different malware families that improperly used the stolen certificate, on the one hand Play malware, a remotely controlled backdoor, and also a malicious component related to a program to steal passwords. The anti-theft tool is used to collect passwords stored in applications such as Google Chrome, Microsoft Internet Explorer, Microsoft Outlook and Mozilla Firefox.

The misuse of digital certificates is one of the many ways that cyber criminals attempt to conceal their intentions. malicious, since stolen certificates can hide malware and give the appearance of a legitimate application, increasing the chances that the malicious code manages to escape security measures without arousing suspicion.

in Taiwan and reusing the code signing certificate in future attacks shows that the group is highly qualified and that it focuses mainly in this region.

Having confirmed the malicious nature of the files, ESET has notified D-Link, which initiated your own investigation into this matter. As a result, D-Link retrieved the compromised digital certificate on July 3, 2018.

Image 1. Code signing certificate owned by D-Link Corporation used to sign the malicious software.

With the Plead sample signed with the D-Link certificate, ESET researchers also identified signed samples in which a certificate belonging to a Taiwanese security company known as Changing Information Technology Inc. has been used. As the certificate of Changing Information Technology Inc. was revoked on July 4, 2017, BlackTech Group continues to use it to sign its malicious tools.