BlackTech threat group steals D-Link certificates to spread backdoor malware

The same certificate was used to sign legitimate D-Link software.

This article originally appeared on our sister site ZDNet.

Researchers have uncovered a new malicious campaign which utilizes stolen D-Link certificates to sign malware.

On Monday, a team from cybersecurity firm ESET said the new malware campaign was spotted when the company's systems marked several files as malicious.

The files raised the interest of researchers after it was noted that the flagged files were digitally signed using a legitimate D-Link code-signing certificate.

Certificates are issued to ascertain the legitimacy — and safety — of files and software. However, if a threat actor manages to steal one, they can then sign malicious software to make it appear legitimate and to circumvent standard cybersecurity protection solutions.

ESET says that the same certificate was used to sign legitimate D-Link software, and so, "the certificate was likely stolen."

The campaign is believed to be the work of BlackTech, an advanced persistent threat (APR) group which focuses on targets in Asia; including those in Taiwan, Japan, and Hong Kong.

BlackTech appears to focus on cyberespionage, which links to the two different malware families found by ESET to use the stolen certificate.

SEE: Network security policy (Tech Pro Research)

The main malware family is PLEAD, which includes a backdoor component and the DRIGO exfiltration tool. The PLEAD malware downloads from a remote server or opens from a local disk after being encrypted in binary. The encrypted file contains shellcode which downloads the full backdoor module which then executes to maintain persistence on an infected system.

PLEAD has been linked to information-stealing campaigns since 2012 and operators utilize spear-phishing techniques to spread the malware.

ESET also spotted a password stealer which has been signed using the certificate. The malicious code attempts to exfiltrate passwords from Google Chrome, Microsoft Internet Explorer, Microsoft Outlook, as well as Mozilla Firefox.

SEE: User data exposed in Domain Factory hosting security breach (ZDNet)

In addition, other malware samples have been detected using a certificate signed by Taiwanese firm Changing Information Technology. This certificate was revoked earlier this month but it is still being used by BlackTech to sign malware.

"The ability to compromise several Taiwan-based technology companies and reuse their code-signing certificates in future attacks shows that this group is highly skilled and focused on that region," ESET says.

ESET reported its findings to D-Link, which then launched an investigation into the allegedly stolen certificate.

Once complete, the vendor confirmed that two digital certificates were compromised and immediately revoked them on 3 July 2018. New certificates have been issued to resolve the problem.

Also see

About Charlie Osborne

Charlie Osborne is a cybersecurity journalist and photographer who writes for ZDNet and CNET from London. PGP Key: AF40821B.

Editor's Picks

Free Newsletters, In your Inbox