Digitally signed malware has gained traction recently, utilizing legitimate digital certificates to mask malicious activities. Recent investigations have uncovered a malware campaign employing stolen valid digital certificates from Taiwanese technology firms, including D-Link, to authenticate their harmful applications and thereby appear trustworthy to unwitting users.
Digital certificates, issued by recognized certificate authorities (CAs), serve a critical role in cryptographically signing software applications. These certificates allow programs to run on systems without triggering security warnings, as they are considered safe by the operating system. However, attackers have increasingly exploited these certificates, taking advantage of their inherent trust to bypass security protocols.
The use of compromised code-signing certificates presents a sophisticated challenge for cybersecurity measures. Hackers associate their malicious code with valid certificates from trusted vendors, dramatically reducing the likelihood of detection within targeted enterprise infrastructures and consumer environments.
Researchers from ESET have identified two distinct malware families linked to the BlackTech cyberespionage group, both of which have been authenticated using valid certificates from D-Link and Changing Information Technology, another Taiwanese security provider. The first identified malware, named Plead, functions as a remotely controlled backdoor, designed to pilfer sensitive information and conduct surveillance on users.
Alongside Plead, a related password-stealing malware has emerged, engineered to siphon saved credentials from popular web browsers such as Google Chrome and Mozilla Firefox, as well as from email platforms like Microsoft Outlook.
After being informed of the breach, D-Link and Changing Information Technology moved quickly to revoke the affected digital certificates on July 3 and July 4, 2018. However, it is concerning that many antivirus solutions do not adequately verify the validity of certificates post-revocation, allowing BlackTech hackers to continue deploying their malicious tools under these compromised certificates.
The researchers expressed that the ability to infiltrate multiple Taiwanese tech companies and leverage their code-signing certificates indicates a high level of sophistication and focus on that specific region by BlackTech. This incident is not isolated; historically, valid certificates have been employed for malicious intents, as seen with the notorious Stuxnet worm that targeted Iranian nuclear facilities in 2003 and the 2017 CCleaner hack involving tainted software updates.
In considering the tactics used in this attack, several MITRE ATT&CK techniques are relevant. Initial access was achieved via compromised credentials, allowing persistent access through the use of signed malware. Furthermore, techniques associated with privilege escalation may have been utilized to gain higher levels of access within victim systems.
As businesses continue to navigate the complexities of cybersecurity threats, understanding these evolving tactics is paramount. With the threat landscape consistently shifting, reliance on security layers, including vigilance regarding digital certificates, has never been more crucial for safeguarding sensitive data.
