SoylentNews
SoylentNews is people
https://soylentnews.org/

Title    Stolen Certificates From D-Link Used to Sign Password-Stealing Malware
Date    Wednesday July 11 2018, @11:59AM
Author    chromas
Topic   
from the yoink dept.
https://soylentnews.org/article.pl?sid=18/07/11/090248

MrPlow writes:

Submitted via IRC for Fnord666

From Ars:

Criminals recently stole code-signing certificates from router and camera maker D-Link and another Taiwanese company and used them to pass off malware that steals passwords and backdoors PCs, a researcher said Monday.

The certificates were used to cryptographically verify that legitimate software was issued by D-Link and Changing Information Technology. Microsoft Windows, Apple's macOS, and most other operating systems rely on the cryptographic signatures produced by such certificates to help users ensure that executable files attached to emails or downloaded on websites were developed by trusted companies rather than malicious actors masquerading as those trusted companies.

Bleeping Computer adds:

"The exact same certificate had been used to sign [official] D-Link software; therefore, the certificate was likely stolen," says Anton Cherepanov, a security researcher for Slovak antivirus company ESET, and the one who discovered the stolen cert.

Cherepanov says BlackTech operators used the stolen cert to sign two malware payloads —the first is the PLEAD backdoor, while the second is a nondescript password stealer.

According to a 2017 Trend Micro report, the BlackTech group has used the PLEAD malware in the past. Just like in previous attacks, the group's targets for these most recent attacks were again located in East Asia, particularly in Taiwan.

The password stealer isn't anything special, being capable of extracting passwords from only four apps —Internet Explorer, Google Chrome, Mozilla Firefox, and Microsoft Outlook.

Following Cherepanov's report about BlackTech using one of its certificates, D-Link revoked it last Tuesday, July 3. Before the revocation, the certificate was being used to secure the web panel of mydlink IP cameras.

Original Submission

Links
  1. "MrPlow" - https://soylentnews.org/~MrPlow/
  2. "From Ars" - https://arstechnica.com/information-technology/2018/07/stolen-certificates-from-d-link-used-to-sign-password-stealing-malware/
  3. "Bleeping Computer" - https://www.bleepingcomputer.com/news/security/blacktech-apt-steals-d-link-cert-for-cyber-espionage-campaign/
  4. "Cherepanov says" - https://www.welivesecurity.com/2018/07/09/certificates-stolen-taiwanese-tech-companies-plead-malware-campaign/
  5. "PLEAD backdoor" - https://blog.jpcert.or.jp/2018/06/plead-downloader-used-by-blacktech.html
  6. "2017 Trend Micro" - https://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacktech-cyber-espionage-campaigns/
  7. "D-Link revoked it" - https://securityadvisories.dlink.com/announcement/publication.aspx?name=SAP10089
  8. "Original Submission" - https://soylentnews.org/submit.pl?op=viewsub&subid=27786
© Copyright 2024 - SoylentNews, All Rights Reserved

printed from SoylentNews, Stolen Certificates From D-Link Used to Sign Password-Stealing Malware on 2024-04-23 10:39:09