APT organization steals D-Link company digital certificate to sign its malware

Security researchers from ESET have discovered a new malware activity related to APT organisation BlackTech, which is abusing a valid digital certificate stolen from D-Link network equipment manufacturer and Taiwan security company Changing Information Technology. Its malware disguised as a legitimate application.

A digital certificate issued by a trusted certification authority (CA) is used to sign computer applications and software cryptographically, and the computer will trust the execution of these digital certificate programs without issuing any warning messages. In recent years, some malware authors and hackers looking to circumvent security scheme technologies have been abusing trusted digital certificates. They use their compromised code signing certificates associated with trusted software vendors to sign their malicious code to avoid being targeted. Detected on the network and user devices.

According to security researchers, this cyber espionage organisation is highly skilled, and most of them are targeting East Asia, especially Taiwan. ESET identified two malware families. The first malware called Plead. It is a backdoor for remote control designed to steal confidential files and monitor users. Plead has signed its code with a valid certificate since at least 2012. The two malware are password stealers intended to collect saved passwords from Google Chrome, Microsoft Internet Explorer, Microsoft Outlook, and Mozilla Firefox.

Image: welivesecurity

The researchers notified D-link and Changing Information Technology of the problem, and the damaged digital certificates were revoked on July 3 and July 4, 2018, respectively.

This is not the first time a hacker has used a valid certificate to sign their malware. A valid digital certificate also used in 2003 for the Stuxnet worm for Iranian nuclear processing facilities.

Source: TheHackerNews, Security affairs

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy

Written by

@DdoS · Security Researcher

Do Son

Do Son is the Founder and Editor of SecurityOnline.info. Working in cybersecurity since 2013, he reports on vulnerabilities, malware, and emerging threats, providing timely analysis to help organizations and individuals stay ahead of evolving risks.