RESEARCHERS have uncovered a malware campaign based around the use of stolen digital certificates from some household names.
‘Plead’ is a campaign aimed largely at Taiwan and that neck of the East Asian woods. It was spotted by security firm ESET, which was alerted by some “suspicious” alerts thrown up by their software.
It appears that the criminals had stolen a digital certificate from D-Link, which allowed them to sign malicious code as trustworthy. Because the same certificate had been used legitimately,
D-Link security staff are already investigating the matter itself, and as such, the certificate was revoked on 3 July.
Two strains of Plead exist – one straightforward beastie, and one password stealer capable of lifting from Google Chrome, Microsoft Internet Explorer, Microsoft Outlook and Mozilla Firefox.
Plead is used by BlackTech, a known cyber-espionage group, which ties into the locations of the hacks. BlackTech is known to operate in this area. It’s usually after technology to steal – so it’s more about industrial espionage than out-and-out malicious hackery.
ESET notes that this level of complexity in its hacks shows these guys are both highly skilled and highly focused on their location.
If you need some context, remember Stuxnet? Yeah. That. Again.
A few samples run off a Changing Information Technology certificate, not a D-Link. In this case, the certificate was revoked and yet the hackers are still using it.
Reams of junk code are used to hide the malicious bits which are then downloaded from either a remote server or a ‘binary blob’ on a local disk.
Whilst, clearly, this particular campaign isn’t aimed at the likes of us and the risk is low, the fact that security certificates are still proving to be a viable means to attack shows that next time, it could be us. Eek. μ
Source : Inquirer