Take, for example, digital certificates which have been in the spotlight after Stuxnet used some or after Adobe’s servers were breached to sign malware. The purpose of a digital signature is to guarantee the authenticity of a file from a particular vendor and is provided by one of a few certificate authorities.
We spotted a new malware sample (Brazilian banking/password stealer) which happens to be signed with a real and valid digital certificate issued by DigiCert:
This certificate is issued to a company called “Buster Paper Comercial Ltda”, a Brazilian company that actually does not exist and was registered with bogus data.
The file – disguised as a PDF document (an invoice) – actually opens up as such to really fool the victim:
But what is really going on here? Let’s have a look, here are the new processes created:
and HTTP traffic:
Let’s pause for a moment on where the malware connects to: som.egnyte.com
This is a sub-domain for a cloud storage company focusing on file sharing for the enterprise. In our case it’s file storage for the criminals. The fake PDF document downloads additional payload stored on this server:
These files are banking Trojans that are very large (over 10 MB unzipped). No pun intended, but size matters as many antivirus scanners have trouble with detecting larger files.
Digging a little deeper, this is not a new case at all. In fact, last November the same kind of digitally signed Trojan was also distributed. Its certificate has, since then, been revoked.
What we have here is a total abuse of hosting services, digital certificates and repeated offenses from the same people. Clearly, if digital certificates can be abused so easily, we have a big problem on our hands.
Digital certificate theft can be used in targeted attacks as a spear phishing attack for example. As we know, one of the weakest link in the security chain is the end-user (and this is especially true in the Enterprise world). An attacker can easily find out or guess what antivirus a company is running and craft a piece of malware that will not be detected by it. Because such attacks are very narrow, the sample will not be disseminated around the world, making its discovery less likely.
Author: Jerome Segura, Malwarebytes.