Security experts from ESET discovered that an APT group tracked as BlackTech is using code-signing certificates stolen from Taiwanese-based tech firm D-Link and the security company Changing Information Technology Inc.
According to the experts, the cyber espionage group is highly skilled and most of its victims are in the East Asia region, particularly Taiwan.
The attackers used the certificates to sign the code of the Plead backdoor that has been in the wild since at least 2012.
The Plead backdoor was used by threat actors to exfiltrate confidential documents from Taiwanese government agencies and private organizations.
“We spotted this malware campaign when our systems marked several files as suspicious. Interestingly, the flagged files were digitally signed using a valid D-Link Corporation code-signing certificate.” reads the analysis published by ESET.
“The exact same certificate had been used to sign non-malicious D-Link software; therefore, the certificate was likely stolen.”
ESET reported the abuses to the D-Link that revoked two certificates on July 3 and informed its customers that most of them should not be affected by the revocation.
“D-Link recently discovered that two of its code signing certificates were misappropriated. Upon discovery, we immediately decommissioned the certificates and investigated the issue.” reads the advisory published by D-Link.
“Like several other companies in Asia, D-Link was victimized by a highly active cyber espionage group which has been using PLEAD Malware to steal confidential information from companies and organizations based in East Asia, particularly in Taiwan, Japan, and Hong Kong. The two affected D-Link certificates were revoked, effective July 3rd, 2018. New certificates have been issued to resolve this problem.”
Taiwan-based Changing Information Technology Inc. revoked the abused certificate on July 4, but according to ESET, the hackers continued to use it to spread the malware.
ESET identified two different malware families that were abusing the stolen certificate, the Plead backdoor, and a related password stealer component that could gather saved passwords from Google Chrome, Microsoft Internet Explorer, Microsoft Outlook, and Mozilla Firefox.
The signed Plead backdoor are highly obfuscated with junk code, it was used to download from a remote server or opens from the local disk a small encrypted binary blob. This blob includes an encrypted shellcode that downloads the final Plead backdoor module.
Why do the attackers steal digital certificates?
Attackers use to sign the malicious code with digital certificates in the attempt to make the malware appearing like legitimate applications bypassing security measures.
The most popular case of a malware abusing code-signing certificates was the Stuxnet worm, that misused digital certificates stolen from RealTek and JMicron.
(Security Affairs – PLEAD Malware, BlackTech)