Digital Certificates are Stolen by Groups of Cyberespionage to Sign Malware

Code-signing certificates that are stolen are used by more cyberespionage groups to make its tools of hacking as well as malware look similar as genuine applications.

The most-recent instance is of a hacker group based in China, which has initiated attacks targeting both private and government organizations from all over the world since last two years.

Researchers of Symantec exposed the activities of the group during late 2015 when they found a hacking tool that was digitally signed, and was used for attacking one of the customers of the company.

The tool, a Windows brute-force Server Message Block (SMB) scanner, was signed by digital certificate belonging to a developer of mobile software in South Korea. This immediately gave a warning of danger because a mobile software company would never sign this kind of application.

Having traced the hacking group's traffic to IP addresses in Chengdu, China, researchers of Symantec finally identified a much larger collection of custom-developed backdoors and hacking tools, which were signed by nine different certificates of nine various companies. Strangely, all nine compromised companies are found to be existing within few miles of each other in Seoul. Arstechnica.com posted on 16th March, 2016, stating that while the physical proximity is doubtful, the researchers finally guessed that thefts of certificates did not happen due to any physical attack but most likely, it happened due to the owners being infected with malware which could search and remove signing certificates.

The researchers claimed that the certificates were found to be valid at the time of its discovery during late 2015, and their lawful owners were also not aware of its theft, although few certificates are used to sign since last 2014.

Symantec has dubbed this China-based hacker group as Suckfly, which uses a custom backdoor program in addition to hacking tools, seems to have been particularly designed for cyberespionage attacks. Symantec has named this malware program as Backdoor.Nidiran.

It is obvious that digital certificates, mainly those that are used for signing code, have become important targets of cybercriminals. Hence, it is extremely vital for organizations having this kind of certificates, to keep up maintaining strong cybersecurity practices and keep them in environments that are secure.

» SPAMfighter News - 3/23/2016