This article originally appeared on our sister site ZDNet. Researchers have uncovered a new malicious campaign which utilizes stolen D-Link certificates to sign malware. On Monday, a team from cybersecurity firm ESET said the new malware campaign was spotted when the company's systems marked several files as malicious. The files raised the interest of researchers after it was noted that the flagged files were digitally signed using a legitimate D-Link code-signing certificate. Certificates are issued to ascertain the legitimacy — and safety — of files and software. However, if a threat actor manages to steal one, they can then sign malicious software to make it appear legitimate and to circumvent standard cybersecurity protection solutions. ESET says that the same certificate was used to sign legitimate D-Link software, and so, "the certificate was likely stolen. " The campaign is believed to be the work of BlackTech, an advanced persistent threat (APR) group which focuses on targets in Asia; including those in Taiwan, Japan, and Hong Kong. BlackTech appears to focus on cyberespionage, which links to the two different malware families found by ESET to use the stolen certificate. Network security policy (Tech Pro Research). The main malware family is PLEAD, which includes a backdoor component and the DRIGO exfiltration tool. The PLEAD malware downloads from a remote server or opens from a local disk after being encrypted in binary. The encrypted file contains shellcode which downloads the full backdoor module which then executes to maintain persistence on an infected system. PLEAD has been linked to information-stealing campaigns since 2012 and operators utilize spear-phishing techniques to spread the malware. ESET also spotted a password stealer which has been signed using the certificate. The malicious code attempts to exfiltrate passwords from Google Chrome, Microsoft Internet Explorer, Microsoft Outlook, as well as Mozilla Firefox. User data exposed in Domain Factory hosting security breach (ZDNet). In addition, other malware samples have been detected using a certificate signed by Taiwanese firm Changing Information Technology. This certificate was revoked earlier this month but it is still being used by BlackTech to sign malware. "The ability to compromise several Taiwan-based technology companies and reuse their code-signing certificates in future attacks shows that this group is highly skilled and focused on that region," ESET says. ESET reported its findings to D-Link, which then launched an investigation into the allegedly stolen certificate. Once complete, the vendor confirmed that two digital certificates were compromised and immediately revoked them on 3 July 2018. New certificates have been issued to resolve the problem.
This isn't the IP camera software you think it is. Criminals recently stole code-signing certificates from router and camera maker D-Link and another Taiwanese company and used them to pass off malware that steals passwords and backdoors PCs, a researcher said Monday. The certificates were used to cryptographically verify that legitimate software was issued by D-Link and Changing Information Technology. Microsoft Windows, Apples macOS, and most other operating systems rely on the cryptographic signatures produced by such certificates to help users ensure that executable files attached to emails or downloaded on websites were developed by trusted companies rather than malicious actors masquerading as those trusted companies. Somehow, members of an advanced persistent-threat hacking group known as BlackTech obtained the certificates belonging to D-Link and Changing Information Technology, the researcher with antivirus provider Eset said in a blog post. The attackers then used the certificates to sign two pieces of malware, one a remotely controlled backdoor and the other a related password stealer. Both pieces of malware are referred to as Plead and are used in espionage campaigns against targets located in East Asia. The Japan Computer Emergency Response team recently documented the Plead malware here. AV provider Trend Micro recently wrote about BlackTech here. The ability to compromise several Taiwan-based technology companies and reuse their code-signing certificates in future attacks shows that this group is highly skilled and focused on that region, Eset researcher Anton Cherepanov wrote in Mondays post. In a support announcement, D-Link officials said that two separate code-signing certificates were recently misappropriated by a highly active cyber espionage group. The post said most D-Link customers wont be affected by the theft, but it also suggested some people may experience errors when viewing mydlink IP cameras within Web browsers. Company engineers are in the process of releasing updated firmware to fix the errors. People using mydlink mobile applications arent affected. Both D-Link and Changing Information Technology have revoked the stolen certificates. Until the D-Link firmware is issued, the companys support announcement is advising people who want to use browsers to view their affected D-Link cameras to temporarily ignore the certificate revocation warnings. This is bad advice that could be abused by malware operators. Users should disregard it. The best-known example of malware that abused stolen code-signing certificates was the Stuxnet worm that targeted Irans nuclear enrichment program almost a decade ago. The malware used legitimate certificates belonging to RealTek and JMicron which are both, like D-Link and Changing Information Technology, known technology companies based in Taiwan.