Stolen certs

A lesser-known cyber-espionage group known as BlackTech has been caught earlier this month using a stolen D-Link certificate to sign malware deployed in a recent campaign.

"The exact same certificate had been used to sign [official] D-Link software; therefore, the certificate was likely stolen," says Anton Cherepanov, a security researcher for Slovak antivirus company ESET, and the one who discovered the stolen cert.

D-Link cert used to sign PLEAD malware samples

Cherepanov says BlackTech operators used the stolen cert to sign two malware payloads —the first is the PLEAD backdoor, while the second is a nondescript password stealer.

According to a 2017 Trend Micro report, the BlackTech group has used the PLEAD malware in the past. Just like in previous attacks, the group's targets for these most recent attacks were again located in East Asia, particularly in Taiwan.

The password stealer isn't anything special, being capable of extracting passwords from only four apps —Internet Explorer, Google Chrome, Mozilla Firefox, and Microsoft Outlook.

Following Cherepanov's report about BlackTech using one of its certificates, D-Link revoked it last Tuesday, July 3. Before the revocation, the certificate was being used to secure the web panel of mydlink IP cameras.

APT used another certificate, but that one was older

In addition to the malware samples signed with the D-Link cert, Cherepanov also discovered some BlackTech malware samples signed with a certificate belonging to Taiwanese tech firm Changing Information Technology, Inc..

But unlike the D-Link certificate, this one had been revoked last year, on July 4, 2017, meaning it wasn't that useful really that useful.

By signing the malicious files, BlackTech made their malware appear as a legitimate app from a trusted source to the underlying OS.

It's no surprise seeing a supposed nation-state attacker with nearly unlimited resources abusing stolen certificates. A Recorded Future investigation published at the start of the year revealed that most common crooks couldn't afford to buy digital certificates off the black market due to their prohibiting costs. Most stolen certificates remain only in the arm shot of APTs and highly-advanced financial crime groups.

Related Articles:

APT28 Uses LoJax, First UEFI Rootkit Seen in the Wild

State-Sponsored Actors Focus Attacks on Asia

Emotet Trojan Begins Stealing Victim's Email Using New Module

AutoHotkey Malware Is Now a Thing

Ad Clicker Hiding as Google Photos App Found in Microsoft Store