Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

Malware Found Signed With Malaysian Government Certificate

Researchers from F-Secure have observed a piece of malware carrying an unusual piece of luggage – a valid code-signing certificate belonging to the government of Malaysia.

Code-signing certificates are meant to demonstrate the authenticity of a particular piece of software, making them potentially a hot commodity for people looking to dupe security mechanisms.

Researchers from F-Secure have observed a piece of malware carrying an unusual piece of luggage – a valid code-signing certificate belonging to the government of Malaysia.

Code-signing certificates are meant to demonstrate the authenticity of a particular piece of software, making them potentially a hot commodity for people looking to dupe security mechanisms.

“Every now and then we run into malware that has been signed with a code signing certificate,” blogged Mikko Hypponen, chief research officer at F-Secure. “This is problematic, as an unsigned Windows application will produce a warning to the end user if he downloads it from the web — signed applications won’t do this. Also some security systems might trust signed code more than unsigned code.”

The certificate in this case was signed by “anjungnet.mardi.gov.my,” a site belonging to Malaysia’s Agricultural Research and Development Institute. The certificate was stored on a server that was hacked, and apparently expired at the end of September. Authorities Malaysian told F-Secure the certificate was stolen “some time ago”, Hypponen noted.

“In some of these cases, the certificate has been created by the criminals just for the purpose for signing malware,” he added. “In other cases they steal code signing certificates (and their passphrases) so they can sign code as someone else.”

F-Secure detects the malware as Trojan-Downloader:W32/Agent.DTIW. The malware itself is propagating through malicious PDF files that drop after exploiting a vulnerability in Adobe Reader 8. The malware then downloads malicious components from a server called worldnewsmagazines.org. Some of the components are signed by an entity called esupplychain.com.tw.

Advertisement. Scroll to continue reading.

In an email to SecurityWeek, Hypponen described the situation as a targeted attack focused on an organization in Asia.

While rare, malware using digital certificates is not unheard of. Most infamously, Stuxnet installed drivers digitally signed by RealTek Semiconductor and JMicron Technology. In the past several months, the security of certificate authorities has been front and center. Earlier this month, Microsoft and Mozilla announced they were revoking trust in certificates issued by Malaysian CA Digicert after it was discovered its certificates used weak 512-bit keys and were missing certain certificate extensions.

Written By

Marketing professional with a background in journalism and a focus on IT security.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

James Phillips has been promoted to the role of Vice President, Cybersecurity Risk Management at AT&T.

Rafal Los has joined Binary Defense as Chief Strategy Officer.

Tracey Mustacchio has joined Everfox as Chief Marketing Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.