Criminals recently stole code-signing certificates from router and camera maker D-Link and another Taiwanese company and used them to pass off malware that steals passwords and backdoors PCs, a researcher said Monday.
The certificates were used to cryptographically verify that legitimate software was issued by D-Link and Changing Information Technology. Microsoft Windows, Apple’s macOS, and most other operating systems rely on the cryptographic signatures produced by such certificates to help users ensure that executable files attached to emails or downloaded on websites were developed by trusted companies rather than malicious actors masquerading as those trusted companies.
Somehow, members of an advanced persistent-threat hacking group known as BlackTech obtained the certificates belonging to D-Link and Changing Information Technology, the researcher with antivirus provider Eset said in a blog post. The attackers then used the certificates to sign two pieces of malware, one a remotely controlled backdoor and the other a related password stealer. Both pieces of malware are referred to as Plead and are used in espionage campaigns against targets located in East Asia. The Japan Computer Emergency Response team recently documented the Plead malware here. AV provider Trend Micro recently wrote about BlackTech here.
“The ability to compromise several Taiwan-based technology companies and reuse their code-signing certificates in future attacks shows that this group is highly skilled and focused on that region,” Eset researcher Anton Cherepanov wrote in Monday’s post.
Don’t try this at home
In a support announcement, D-Link officials said that two separate code-signing certificates were recently misappropriated by a “highly active cyber espionage group.” The post said most D-Link customers won’t be affected by the theft, but it also suggested some people may experience errors when viewing mydlink IP cameras within Web browsers. Company engineers are in the process of releasing updated firmware to fix the errors. People using mydlink mobile applications aren’t affected.
Both D-Link and Changing Information Technology have revoked the stolen certificates. Until the D-Link firmware is issued, the company’s support announcement is advising people who want to use browsers to view their affected D-Link cameras to temporarily ignore the certificate revocation warnings. This is bad advice that could be abused by malware operators. Users should disregard it.
The best-known example of malware that abused stolen code-signing certificates was the Stuxnet worm that targeted Iran’s nuclear enrichment program almost a decade ago. The malware used legitimate certificates belonging to RealTek and JMicron which are both, like D-Link and Changing Information Technology, known technology companies based in Taiwan.
Last year, researchers published research that showed that malware signed by OS-trusted code-signing certificates was more common than most people assumed, with the first known instance occurring in 2003. Earlier this year, researchers documented several underground services that sold counterfeit signing credentials that are unique to each buyer. The thefts reported Monday are an indication misappropriated certificates remain a widely used technique for concealing malicious software.