Digital certificates and malware: a dangerous mix

In the past few days we have heard several stories about major corporations getting hacked and their security systems completely bypassed. If anything, that should remind us of how vulnerable our data and privacy are. The fact of the matter is that there are so many angles one can get exploited that at the end of the day it can leave us wondering what or who to trust.

Take, for example, digital certificates which have been in the spotlight after Stuxnet used some or after Adobe’s servers were breached to sign malware. The purpose of a digital signature is to guarantee the authenticity of a file from a particular vendor and is provided by one of a few certificate authorities.

We spotted a new malware sample (Brazilian banking/password stealer) which happens to be signed with a real and valid digital certificate issued by DigiCert:

This certificate is issued to a company called “Buster Paper Comercial Ltda”, a Brazilian company that actually does not exist and was registered with bogus data.

The file – disguised as a PDF document (an invoice) – actually opens up as such to really fool the victim:

But what is really going on here? Let’s have a look, here are the new processes created:

and HTTP traffic:

Let’s pause for a moment on where the malware connects to: som.egnyte.com

This is a sub-domain for a cloud storage company focusing on file sharing for the enterprise. In our case it’s file storage for the criminals. The fake PDF document downloads additional payload stored on this server:

hxxps://som.egnyte.com/h-s-internal/{redacted}/f3487f359b38436f
hxxps://som.egnyte.com/h-s-internal/{redacted}/d3669545621045d9

These files are banking Trojans that are very large (over 10 MB unzipped). No pun intended, but size matters as many antivirus scanners have trouble with detecting larger files.

Digging a little deeper, this is not a new case at all. In fact, last November the same kind of digitally signed Trojan was also distributed. Its certificate has, since then, been revoked.

What we have here is a total abuse of hosting services, digital certificates and repeated offenses from the same people. Clearly, if digital certificates can be abused so easily, we have a big problem on our hands.

Digital certificate theft can be used in targeted attacks as a spear phishing attack for example. As we know, one of the weakest link in the security chain is the end-user (and this is especially true in the Enterprise world). An attacker can easily find out or guess what antivirus a company is running and craft a piece of malware that will not be detected by it. Because such attacks are very narrow, the sample will not be disseminated around the world, making its discovery less likely.

Author: Jerome Segura, Malwarebytes.

More about

Don't miss