Security researchers have discovered yet another cyber-attack campaign using stolen certificates to circumvent traditional security tools.
The tactic was being used to launch a remotely controlled backdoor dubbed Plead and a related password stealer, according to Eset senior malware researcher, Anton Cherepanov.
Plead was spotted last year being used by a group known as BlackTech to compromise targets in East Asia including Hong Kong, Japan and Taiwan, and as such could be a Beijing-backed venture.
Two certificates were used to sign the malware, one belonging to Taiwanese security company Changing Information Technology and another issued by D-Link.
“We spotted this malware campaign when our systems marked several files as suspicious. Interestingly, the flagged files were digitally signed using a valid D-Link Corporation code-signing certificate. The exact same certificate had been used to sign non-malicious D-Link software; therefore, the certificate was likely stolen,” explained Cherepanov.
After being notified of the discovery, D-Link revoked the certificate last week, he added.
However, BlackTech is still using the Changing Information Technology certificate, despite it also having been revoked last week.
Kevin Bocek, chief cybersecurity officer at Venafi, pointed out that the use of stolen certificates is not new and was in fact popularized by the Stuxnet authors.
“If you steal trusted machine identities from global technology companies, you can execute highly effective attacks that don’t raise any alarms. This is just one more demonstration of how machine identities, in this case code signing certificates, are being abused by malicious actors. There’s no doubt we’re going to see a lot more of these attacks in the future,” he added.
“Code-signing certificates are often a core component of DevOps and cloud infrastructure; and because organizations are using a lot more machine identities, these risks will only grow. In fact, researchers are already seeing a dramatic rise in the trade of stolen code-signing certificates on the dark web.”