Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Security Architecture

Hackers Using Stolen D-Link Certificates for Malware Signing

A cyber-espionage group is abusing code-signing certificates stolen from Taiwan-based companies for the distribution of their backdoor, ESET reports.

A cyber-espionage group is abusing code-signing certificates stolen from Taiwan-based companies for the distribution of their backdoor, ESET reports.

The group, referred to as BlackTech, appears highly skilled and focused on the East Asia region, particularly Taiwan. The certificates, stolen from D-Link and security company Changing Information Technology Inc., have been used to sign the Plead backdoor, ESET’s security researchers say.

The Plead campaign is believed to have been active since at least 2012, often focused on confidential documents and mainly targeting Taiwanese government agencies and private organizations.

Evidence of the fact that the D-Link certificate was stolen comes from the fact that it was used to sign non-malicious D-Link software, not only the Plead malware, ESET explains.

After being informed on the misuse of its certificate, D-Link revoked it, along with a second certificate, on July 3. In an advisory, the company said that most of its customers should not be affected by the revocation.

“D-Link was victimized by a highly active cyber espionage group which has been using PLEAD Malware to steal confidential information from companies and organizations based in East Asia, particularly in Taiwan, Japan, and Hong Kong,” the company said.

Changing Information Technology Inc., also based in Taiwan, revoked the misused certificate on July 4, but the threat actor continued to use it for malicious purposes even after that date, ESET reveals.

The signed malware samples also contain junk code for obfuscation purposes, but all perform the same action: they either fetch from a remote server or open from the local disk encrypted shellcode designed to download the final Plead backdoor module.

Advertisement. Scroll to continue reading.

The malware can steal passwords from major web browsers, such as Chrome, Firefox, and Internet Explorer, and from Microsoft Outlook.

According to Trend Micro, the Plead backdoor can also list drives, processes, open windows and files on the compromised machine, can open remote shell, upload files, execute applications via ShellExecute API, and delete files.

“Misusing digital certificates is one of the many ways cybercriminals try to mask their malicious intentions – as the stolen certificates let malware appear like legitimate applications, the malware has a greater chance of sneaking past security measures without raising suspicion,” ESET notes.

The use of code-signing certificates for malware delivery isn’t a novel practice, and the Stuxnet worm, which was discovered in 2010, is a great example of how long threat actors have been engaging in such practices. The first to target critical infrastructure, Stuxnet used digital certificates stolen from RealTek and JMicron, well-known Taiwanese tech companies.

Related: Cyber-Espionage Campaigns Target Tibetan Community in India 

Related: RANCOR Cyber Espionage Group Uncovered

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how the LOtL threat landscape has evolved, why traditional endpoint hardening methods fall short, and how adaptive, user-aware approaches can reduce risk.

Watch Now

Join the summit to explore critical threats to public cloud infrastructure, APIs, and identity systems through discussions, case studies, and insights into emerging technologies like AI and LLMs.

Register

People on the Move

Cloud security startup Upwind has appointed Rinki Sethi as Chief Security Officer.

SAP security firm SecurityBridge announced the appointment of Roman Schubiger as the company’s new CRO.

Cybersecurity training and simulations provider SimSpace has appointed Peter Lee as Chief Executive Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.