Cyberespionage Group Steals Certificates to Sign Malware

A cyberespionage group has stolen code-signing certificates from D-Link and another Taiwanese technology company and used them to sign a backdoor program.

BlackTech is a group of attackers known for targeting organizations from East Asia, particularly from Japan, Taiwan and Hong Kong. According to an analysis last year by researchers from Trend Micro, the group might be responsible for cyberespionage campaigns dating back to at least 2010 and its goal is to steal the technology of its victims.

DevOps Connect:DevSecOps @ RSAC 2022

BlackTech’s toolset includes a backdoor program dubbed Plead and a file exfiltration tool called Drigo. Plead allows attackers to harvest credentials saved inside browsers and email clients; open remote shells on infected computers; list processes and drives; and open windows and to upload, delete and execute files.

Security researchers from antivirus vendor ESET have recently detected several Plead samples that were signed with digital certificates issued to D-Link and a Taiwanese security company called Changing Information Technology Inc.

The D-Link certificate was still valid when the samples were discovered and had also been used in the past to sign non-malicious software applications made by the company.  The certificate was revoked July 3 after ESET alerted D-Link about its misuse.

The certificate belonging to Changing Information Technology has been revoked since July ‎4, ‎2017, but it appears that BlackTech is still using it to sign malware, highlighting the difficulty of mitigating the effects of stolen certificates.

“Misusing digital certificates is one of the many ways cybercriminals try to mask their malicious intentions – as the stolen certificates let malware appear like legitimate applications, the malware has a greater chance of sneaking past security measures without raising suspicion,” the ESET researchers said in a blog post.

Digital file signatures are used in a variety of systems to establish file reputation. For example, the Windows User Account Control (UAC) displays different notifications when digitally signed executables want to run with elevated privileges compared to non-signed files. The Microsoft SmartScreen technology that checks executable files downloaded from the web also verifies digital signatures.

According to some studies, signing malware with legitimate certificates, or even appending a copied signature, is enough to evade detection by some antivirus programs and security solutions. One of the most well-known malware programs that had components signed with digital certificates stolen from technology companies was the Stuxnet cybersabotage worm.

One problem is that some security programs don’t check the certificate revocation status in real time and even when they do, they continue to trust programs that were signed before the certificate’s revocation date, which might include malware.

Timehop Data Breach Affects 21 Million Users

Timehop, a mobile application that helps users remember what they were doing on the same day in previous years by resurfacing their old posts and photos from social media websites, had its cloud computing environment breached.

The breach was detected while in progress, but hackers managed to copy some user information, including names, email addresses and phone numbers. The service has 21 million users.

“No private/direct messages, financial data, or social media or photo content, or Timehop data including streaks were affected,” Timehop said in an announcement.

Access tokens that allowed users to link the Timehop application to their social media accounts to display old posts have also been compromised. Those tokens have now been revoked, so users will have to reconnect their accounts to Timehop.

Like the recent breach suffered by Gentoo, attackers gained access to Timehop’s cloud infrastructure through compromised credentials. Also, like the Gentoo breach, the attack was made possible by a lack of two-factor authentication for administrative accounts.

“We have now taken steps that include multifactor authentication to secure our authorization and access controls on all accounts,” Timehop said.

“If we’ve told one organization, we’ve told 1,000,000 – organizations have to do the four basics to secure their infrastructure and key data sources,” said Bill Evans, a vice president at One Identity, via email. “(1) Deploy privileged access management: This means protecting the ‘keys to the kingdom’ with basic password vaulting as well as advanced session management and behavioral biometrics. (2) Deploy multi-factor authentication – ideally for the entire enterprise but minimally for those admin accounts. (3) Govern access – make sure users and admins have access to only those things that they need access to (4) Educate, educate, educate. While this goes for end users primarily, it’s always a good idea to make sure your admins and security pros have the timely access to information they need to stay ahead of the threat actors.”

Lucian Constantin

Featured eBook
The State of Cloud Native Security 2020

The State of Cloud Native Security 2020

The first annual State of Cloud Native Security report examines the practices, tools and technologies innovative companies are using to manage cloud environments and drive cloud native development. Based on a survey of 3,000 cloud architecture, InfoSec and DevOps professionals across five countries, the report surfaces insights from a proprietary set of well-analyzed data. This ... Read More
Palo Alto Networks

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at [email protected] or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin