Certificates stolen from Taiwanese tech-companies misused in Plead malware campaign

guest · Jul 9, 2018

Certificates stolen from Taiwanese tech-companies misused in Plead malware campaign
D-Link and Changing Information Technologies code-signing certificates stolen and abused by highly skilled cyberespionage group focused on East Asia, particularly Taiwan
July 9, 2018
https://www.welivesecurity.com/2018...wanese-tech-companies-plead-malware-campaign/

We spotted this malware campaign when our systems marked several files as suspicious. Interestingly, the flagged files were digitally signed using a valid D-Link Corporation code-signing certificate.

Having confirmed the file’s malicious nature, we notified D-Link, who launched their own investigation into the matter. As a result, the compromised digital certificate was revoked by D-Link on July 3, 2018.
The malware
Our analysis identified two different malware families that were misusing the stolen certificate – the Plead malware, a remotely controlled backdoor, and a related password stealer component. Recently, the JPCERT published a thorough analysis of the Plead backdoor, which, according to Trend Micro, is used by the cyberespionage group BlackTech.

The ability to compromise several Taiwan-based technology companies and reuse their code-signing certificates in future attacks shows that this group is highly skilled and focused on that region.
Click to expand...

itman · Jul 9, 2018

A great real-word example of what a backdoor is capable of:

The malware can steal passwords from major web browsers, such as Chrome, Firefox, and Internet Explorer, and from Microsoft Outlook.

According to Trend Micro, the Plead backdoor can also list drives, processes, open windows and files on the compromised machine, can open remote shell, upload files, execute applications via ShellExecute API, and delete files.
Click to expand...

https://www.securityweek.com/hackers-using-stolen-d-link-certificates-malware-signing

PLEAD also uses the document-targeting exfiltration tool DRIGO, which mainly searches the infected machine for documents. Each copy of DRIGO contains a refresh token tied to specific Gmail accounts used by the attackers, which are in turn linked to a Google Drive account. The stolen files are uploaded to these Google Drives, where the attackers can harvest them.
Click to expand...

https://blog.trendmicro.com/trendla...ng-trail-blacktech-cyber-espionage-campaigns/

Rasheed187 · Jul 14, 2018

mood said: ↑

Certificates stolen from Taiwanese tech-companies misused in Plead malware campaign
D-Link and Changing Information Technologies code-signing certificates stolen and abused by highly skilled cyberespionage group focused on East Asia, particularly Taiwan
July 9, 2018
https://www.welivesecurity.com/2018...wanese-tech-companies-plead-malware-campaign/
Click to expand...

It's a good idea to limit the amount of digital signatures that are auto trusted by security tools.

Log in or Sign up

Certificates stolen from Taiwanese tech-companies misused in Plead malware campaign

guest Guest

itman Registered Member

Rasheed187 Registered Member

Log in or Sign up

Certificates stolen from Taiwanese tech-companies misused in Plead malware campaign

guest Guest

itman Registered Member

Rasheed187 Registered Member

Useful Searches