Researchers from F-Secure have observed a piece of malware carrying an unusual piece of luggage – a valid code-signing certificate belonging to the government of Malaysia.
Code-signing certificates are meant to demonstrate the authenticity of a particular piece of software, making them potentially a hot commodity for people looking to dupe security mechanisms.
“Every now and then we run into malware that has been signed with a code signing certificate,” blogged Mikko Hypponen, chief research officer at F-Secure. “This is problematic, as an unsigned Windows application will produce a warning to the end user if he downloads it from the web — signed applications won’t do this. Also some security systems might trust signed code more than unsigned code.”
The certificate in this case was signed by “anjungnet.mardi.gov.my,” a site belonging to Malaysia’s Agricultural Research and Development Institute. The certificate was stored on a server that was hacked, and apparently expired at the end of September. Authorities Malaysian told F-Secure the certificate was stolen “some time ago”, Hypponen noted.
“In some of these cases, the certificate has been created by the criminals just for the purpose for signing malware,” he added. “In other cases they steal code signing certificates (and their passphrases) so they can sign code as someone else.”
F-Secure detects the malware as Trojan-Downloader:W32/Agent.DTIW. The malware itself is propagating through malicious PDF files that drop after exploiting a vulnerability in Adobe Reader 8. The malware then downloads malicious components from a server called worldnewsmagazines.org. Some of the components are signed by an entity called esupplychain.com.tw.
In an email to SecurityWeek, Hypponen described the situation as a targeted attack focused on an organization in Asia.
While rare, malware using digital certificates is not unheard of. Most infamously, Stuxnet installed drivers digitally signed by RealTek Semiconductor and JMicron Technology. In the past several months, the security of certificate authorities has been front and center. Earlier this month, Microsoft and Mozilla announced they were revoking trust in certificates issued by Malaysian CA Digicert after it was discovered its certificates used weak 512-bit keys and were missing certain certificate extensions.
More from Brian Prince
- U.S. Healthcare Companies Hardest Hit by ‘Stegoloader’ Malware
- CryptoWall Ransomware Cost Victims More Than $18 Million Since April 2014: FBI
- New Adobe Flash Player Flaw Shares Similarities With Previous Vulnerability: Trend Micro
- Visibility Challenges Industrial Control System Security: Survey
- Adobe Flash Player Zero-Day Exploited in Attack Campaign
- Researchers Demonstrate Stealing Encryption Keys Via Radio
- Researchers Uncover Critical RubyGems Vulnerabilities
- NSA, GCHQ Linked to Efforts to Compromise Antivirus Vendors: Report
Latest News
- Consolidate Vendors and Products for Better Security
- Pharmaceutical Giant Eisai Takes Systems Offline Following Ransomware Attack
- Vulnerabilities in Honda eCommerce Platform Exposed Customer, Dealer Data
- North Korean Hackers Blamed for $35 Million Atomic Wallet Crypto Theft
- Cisco Patches Critical Vulnerability in Enterprise Collaboration Solutions
- Barracuda Urges Customers to Replace Hacked Email Security Appliances
- Android’s June 2023 Security Update Patches Exploited Arm GPU Vulnerability
- BBC, British Airways, Novia Scotia Among First Big-Name Victims in Global Supply-Chain Hack
