Researchers have unveiled a new malicious campaign using stolen D-Link certificates to sign malicious software.
A cybersecurity company ESET on Monday said the new malware campaign was discovered when the company's systems labeled more files as malicious.
The files claimed the researchers interest after it was noted that the flagged files were digitally signed using a legitimate D-Link code signing certificate.
Certificates are issued to determine the legitimacy and security of files and software. However, if a threat factor manages to steal one, they can then sign malicious software to make it seem legitimate and bypassing standard security solutions for cybersecurity.
ESET says that the same certificate was used to sign legitimate D-Link software, and so, "the certificate was probably stolen."
The campaign is believed to be the work of BlackTech, an advanced group of persistent threats (APR) focusing on targets in Asia; including those in Taiwan, Japan and Hong Kong.
BlackTech appears to focus on cyber spying, which links to the two different malware families found by ESET to use the stolen certificate.
TechRepublic: These new malware targets with both Windows and Linux systems
The main malware family is PLEAD, which includes a backdoor component and the DRIGO extrusion tool. PLEAD malware is downloaded from an external server or opened from a local disk after it is encrypted in binary. The encrypted file contains screen code that downloads the entire backdoor module, which is then performed to maintain endurance on an infected system.
See also: User Data Exposed in Domain Factory Hosting Vulnerability
PLEAD has been linked to information testing campaigns since 201
ESET also detected a password stamped by the certificate. The malicious code tries to execute passwords from Google Chrome, Microsoft Internet Explorer, Microsoft Outlook, and Mozilla Firefox.
In addition, other malware samples have been detected using a certificate signed by Taiwanese company Changing Information Technology. This certificate was revoked earlier this month, but it will still be used by BlackTech to sign malicious software.
"The ability to compromise several Taiwan-based technology companies and reuse their code signing certificates in future attacks shows that this group is highly qualified and focused on that region," said ESET.
ESET reported its findings to D-Link, which then launched an investigation of the alleged stolen certificate.
Upon completion, the vendor confirmed that two digital certificates were compromised and immediately revoked on July 3, 2018. New certificates were issued to resolve the issue.
Previous and Related Cover