Digital certificates and malware: a dangerous mix
Posted on 05.02.2013
In the past few days we have heard several stories about major corporations getting hacked and their security systems completely bypassed. If anything, that should remind us of how vulnerable our data and privacy are. The fact of the matter is that there are so many angles one can get exploited that at the end of the day it can leave us wondering what or who to trust.

Take, for example, digital certificates which have been in the spotlight after Stuxnet used some or after Adobe’s servers were breached to sign malware. The purpose of a digital signature is to guarantee the authenticity of a file from a particular vendor and is provided by one of a few certificate authorities.

We spotted a new malware sample (Brazilian banking/password stealer) which happens to be signed with a real and valid digital certificate issued by DigiCert:



This certificate is issued to a company called “Buster Paper Comercial Ltda”, a Brazilian company that actually does not exist and was registered with bogus data.

The file – disguised as a PDF document (an invoice) – actually opens up as such to really fool the victim:



But what is really going on here? Let’s have a look, here are the new processes created:


and HTTP traffic:


Let’s pause for a moment on where the malware connects to: som.egnyte.com


This is a sub-domain for a cloud storage company focusing on file sharing for the enterprise. In our case it’s file storage for the criminals. The fake PDF document downloads additional payload stored on this server:

hxxps://som.egnyte.com/h-s-internal/{redacted}/f3487f359b38436f
hxxps://som.egnyte.com/h-s-internal/{redacted}/d3669545621045d9

These files are banking Trojans that are very large (over 10 MB unzipped). No pun intended, but size matters as many antivirus scanners have trouble with detecting larger files.

Digging a little deeper, this is not a new case at all. In fact, last November the same kind of digitally signed Trojan was also distributed. Its certificate has, since then, been revoked.

What we have here is a total abuse of hosting services, digital certificates and repeated offenses from the same people. Clearly, if digital certificates can be abused so easily, we have a big problem on our hands.

Digital certificate theft can be used in targeted attacks as a spear phishing attack for example. As we know, one of the weakest link in the security chain is the end-user (and this is especially true in the Enterprise world). An attacker can easily find out or guess what antivirus a company is running and craft a piece of malware that will not be detected by it. Because such attacks are very narrow, the sample will not be disseminated around the world, making its discovery less likely.


Author: Jerome Segura, Malwarebytes.





Spotlight

The synergy of hackers and tools at the Black Hat Arsenal

Posted on 27 August 2014.  |  Tucked away from the glamour of the vendor booths and the large presentation rooms filled with rockstar sessions, was the Arsenal - a place where developers were able to present their security tools and grow their community.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Fri, Aug 29th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //