Stolen legitimate security certificates used to push Plead backdoor

News by Doug Olenick

What is being described as a "highly skilled" cyber-gang was using legitimate security certificates stolen from D-Link and Changing Information Technology to help spread Plead malware.

What is being described as a "highly skilled" cyber-gang was using legitimate security certificates stolen from D-Link and Changing Information Technology to help spread Plead malware.

The campaign came to light when ESET Security noticed malware-laden files signed using a valid D-Link Corporation code-signing certificate. Since the exact same certificate had been used to sign non-malicious D-Link software, ESET's Anton Cherepanov is assuming they were stolen.

"Probably the most infamous malware known to have used several stolen digital certificates is the Stuxnet worm, discovered in 2010 and the malware behind the very first cyber-attack to target critical infrastructure. Stuxnet used digital certificates stolen from RealTek and one from JMicron, two well-known technology companies based in Taiwan," he said.

These files using the stolen certificate was found to be pushing two malware families, Plead - a remotely controlled backdoor and a password stealer that is related to Plead.

Last year Trend Micro identified the cyber-gang Black Tech as being behind Plead.

While investigating the Plead samples, Cherepanov came across others using certificates from the Taiwanese-based Changing Information Technology.

D-Link and Changing Information Technology were immediately informed that their certificates were being misused and they were decertified.

"The ability to compromise several Taiwan-based technology companies and reuse their code-signing certificates in future attacks shows that this group is highly skilled and focused on that region," Cherepanov wrote.

The malware downloads from either a remote server or a local disk a small binary blob containing an encrypted shellcode which in turn brings in the Plead backdoor.

The password stealer version collects credentials from Chrome, Internet Explorer, Outlook or Firefox.

"Code signing certificates are often a core component of DevOps and cloud infrastructure; and because organisations are using a lot more machine identities, these risks will only grow. In fact, researchers are already seeing a dramatic rise in the trade of stolen code signing certificates on the Dark Web," said Kevin Bocek, Venafi's VP of security strategy and threat intelligence.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events