BlackTech Threat Group Steals D-Link Certificates To Spread Backdoor Malware

Security researchers have discovered a new malicious campaign that utilizes stolen D-Link certificates to sign malware. From a report: A lesser-known cyber-espionage group known as BlackTech was caught earlier this month using a stolen D-Link certificate to sign malware deployed in a recent campaign. "The exact same certificate had been used to sign [official] D-Link software; therefore, the certificate was likely stolen," says Anton Cherepanov, a security researcher for Slovak antivirus company ESET, and the one who discovered the stolen cert. Cherepanov says BlackTech operators used the stolen cert to sign two malware payloads -- the first is the PLEAD backdoor, while the second is a nondescript password stealer. According to a 2017 Trend Micro report, the BlackTech group has used the PLEAD malware in the past. Just like in previous attacks, the group's targets for these most recent attacks were again located in East Asia, particularly in Taiwan. The password stealer isn't anything special, being capable of extracting passwords from only four apps -- Internet Explorer, Google Chrome, Mozilla Firefox, and Microsoft Outlook.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Why

it gots to be black?

sarcasm?

I hope this was meant to be sarcastic? "The password stealer isn't anything special, being capable of extracting passwords from only four apps -- Internet Explorer, Google Chrome, Mozilla Firefox, and Microsoft Outlook."

      I've heard of some of those apps. That's like monty python flesh wound level sarcasm in my book.

Re:sarcasm?

[EndlessNameless]

But it really isn't special in the technical sense. Every password stealer targets those applications.

A boring, common threat isn't special. It may be a serious threat to users of infected systems, but it isn't novel.

We've known for years that storing credentials in those applications is a bad idea, so both the threat vector and the implementation aren't really new. So yes, I agree that it "isn't anything special".

"passwords from only four apps"

[charliemerritt03]

Yea, a significant 4 apps - 3 web browsers and MS Outlook.
"Only"

Re:"passwords from only four apps"

Well Thank God Edge is not crackable!

Who doesn't use a HSM these days?

[ctilsie242]

Why do places that use certificates and know the damage they can do if stolen, not use HSMs? $60 gets you a NitroKey. $600 gets you a YubiKey HSM, so they are not expensive. A YubiKey HSM can even be configured to require a manual tap on the unit to confirm there is an actual live body there actually wanting to do a signing transaction.

Re:Who doesn't use a HSM these days?

[EndlessNameless]

Most cybersecurity professionals are half-witted hacks, so changing a "secure" process is often a difficult fight.

If the company already has a "secure" process for generating, storing, and using its signing keys then I would expect that process to endure for quite some time.

I'd agree that HSMs should be part of the process, but key ceremonies often involve several layers of management and oversight. As a result, changes need universal buy-in throughout the organization. Upper management won't understand the security implications and will look to their flock of subordinates before approving the change, so the organization can be beholden to its most stubborn employee---if his opinion is respected higher up.

Re:Who doesn't use a HSM these days?

There is also the "security is no ROI" aspect, where a manager doesn't understand the difference between storing a key on a machine accessible to all and sundry versus a dedicated device.

Of course, the fact that C-level employees are able to short their stock immediately before they announce a breach makes them uninterested in security, since they make money when the company's stock tanks.

Re:Who doesn't use a HSM these days?

[TechyImmigrant]

The last HSM I purchased cost $16,000 dollars (for a single PCI card with card reader).

In what org does the person with the knowledge of the software signing process have the autonomy to sign off $16,000?

Of course, to do it right you need three. So $48,000.

HSMs need not be expensive, but they are, partly because of the FIPS certification process and partly because people can get away with it.

Re:Who doesn't use a HSM these days?

Likely a MS SHA-1 codesign private key was stolen (Notably necessary for windows Vista/2008 kernel drivers and to a lesser extent 7/2008R2 depending on patch state). SHA-1 codesign certs are usually delivered via browser to IE for inclusion into a WIndows cert store, which then allows re-export of the private key. When reimporting the exported private key elsewhere onto a windows machine, there is the option to mark the private key as non-reexportable.

So one possibility is the cert with private key was either stolen from the retrieval windows machine, or from the signing machine which had allowed reexport. If the codesign workflow was being done on a linux box though, then perhaps other factors are involved, but being stolen from windows is the probable reason.

Another possibility is the malware was brought into the target company's compromised signing PC and signed there then brought back out for use. This occurs if the windows signing machine prohibits private key export, thus requiring local ops. This would be if reexport was forbidden for a SHA-1 codesign key, or in the case of EV SHA-2 codesign certs, the cert is stored in a HSM USB token which explicitly forbids private key export. It is surprisingly often that EV SHA-2 tokens are left plugged in to the signing machine, but if you look at the fine print of the contract with the CA, leaving it plugged in and unlocked is a contract violation allowing immediate revocation. Still, a lot of people leave the USB token plugged in to allow codesign automation.

The final possibility is an external third party codesign workflow was compromised. Most EV SHA-2 codesign certs are USB token based, so you have to unlock them after every reboot/USB disconnect, which disturbs codesign automation if the signing PC automatically reboots periodically (like windows 10). To get around this some CA's offer a codesign service, where they will host the cert on their infrastructure, and you submit binaries to be signed via some webAPI. The odds of the webAPI being directly hacked are low, but an internal designated signing PC being compromised and sending malware binaries to be signed by the CA codesign service is possible.

Re:Who doesn't use a HSM these days?

[arglebargle_xiv]

They're also insanely painful to use. If you've got 1,000 devs shipping updates for drivers and firmware on 800 different devices then the absolutely last thing you want to do is have them fight over a single painful-to-work-with HSM.

Re:Who doesn't use a HSM these days?

[TechyImmigrant]

Yep. I found the APIs and driver support to be convoluted and messy.

Remember...

When the US gov does shady shit they make it look like somebody else did it.

Is This PornHub?

That headline made me wonder if I was on Slashdot or PornHub.

Delivery method

I believe that I understand that this would defeat some OS level scanning. How would the malware actually get in/on the PC? Shouldn't an up to date virus/malware scanner catch this stuff?

You Forgot

You forgot random bolding of words and a bipolar diatribe about... well... anything incoherent.

Easy to stop/stall via hosts files... apk

0.0.0.0 amazon.panasocin.com
0.0.0.0 office.panasocin.com
0.0.0.0 okinawas.ssl443.org
0.0.0.0 panasocin.com
0.0.0.0 ssl443.org

* Place those entries into your hosts file & voila: This threat is effectively neutralized &/or crippled...

APK

P.S.=> DATA SOURCE = https://www.welivesecurity.com... ... apk

For the best protection + speed via hosts?

See subject & APK Hosts File Engine 2.0++ 64-bit for Linux h t t p : / / a p k . i t - m a t e . c o . u k / A P K H o s t s F i l e E n g i n e F o r L i n u x . z i p (remove spaces between characters & download).

Yields more security/speed/reliability/anonymity vs. any SINGLE solution (99% of threats = hostnames vs. IP address that most firewalls use) more efficiently/FASTER + NATIVELY 4 less!

(Vs. "Bolt on 'MoAr' illogic-logic" competitors slowing you, hosts speed you up 2 ways (adblocks + hardcodes u spend most time @) vs. competition loaded w/ security bugs (DNS/AntiVir) + overheads (messagepass ('souled-out' to advertiser addons) + filtering drivers) & their complexity leads to exploitation).

* ONLY 1 of its kind in GUI on Linux!

Better vs. Windows model in speed/efficiency/merge.

APK

P.S.=> Best program of its kind bar-none & better vs. browser addons + other competitors (full of bugs, excess resource use, slowdown & complexity)... apk

Registered /.ers review of the Win64 model

Your software is just fine - well written, functional... I'm going to continue using the Host File Engine by mmell February 17, 2017

Your premise that hostfiles are a good way to deal with advertising and malvertising is quite valid - by JazzLad April 20, 2016

his hosts program is actually pretty good by xenotransplant August 10 2015

his hosts tool is actually useful for those cases in which one does indeed want to locally block stuff outright while consuming minimum system resources by alexgieg September 25 2015

I like your host file system by Karmashock September 09 2015

that APK guy, I use his host file by rogoshen1 Tuesday March 03, 2015

I personally use a HOSTS file blocker produced from a genius called APK by 110010001000 October 27 2017

* Best part = Linux 64-bit model's faster/more efficient (2x work & 1/2 the time)

APK

P.S.=> For a faster/safer/more reliable internet... apk

from the headline

i'm guessing this is about inter-racial ass porn.

yes?

Backdoor Malware

I came for a joke about someone having malware of their backdoor. Usually the jokes are delivered by now. Kinda bummed.