Submission + - Stolen Certificates Found in Malware Possibly Targeting Tibetan Groups (threatpost.com)
Trailrunner7 writes: The recent trend of attackers using stolen digital certificates to make their malicious executables look legitimate is continuing unabated, with researchers now having come across a series of variants of the Etchfro Trojan that are using certificates taken from several companies and issued by VeriSign, Thawte and other certificate authorities.
After looking at recent examples of malware signed with stolen certificates, researchers at Norman ASA, a security firm in Norway, noticed that there was an odd string in one specific optional field included in the stolen certificates. The field, named moreInfo, often is used to enter a URL for users to find more information on a company. But in the examples that Norman looked at, that field instead included the following string: “identifierBegin:shiqiang:identifierEnd“.
It's not clear what, if any, purpose the string serves, but Norman researchers started digging through the company's malware database, looking for other samples with the same string. Lo and behold, there were more than 20 samples with the same odd string, and each of them included a stolen digital certificate. Many of the certificates are still valid right now. All of the malware samples, save one, was some version of the Etchfro Trojan. The other one is a version of the infamous Gh0st RAT tool.
The targets of the malware used in this attack are interesting. As has been the case with similar attacks that have employed stolen certificates, many of the malicious documents used in these attacks indicate that the attackers are going after organizations and individuals who are opposed to the Chinese government's policies. Researchers have uncovered several other examples of attackers, whether they be government-sponsored or private, going after human rights activists, Tibetan nationalists and others who oppose the Chinese government.
After looking at recent examples of malware signed with stolen certificates, researchers at Norman ASA, a security firm in Norway, noticed that there was an odd string in one specific optional field included in the stolen certificates. The field, named moreInfo, often is used to enter a URL for users to find more information on a company. But in the examples that Norman looked at, that field instead included the following string: “identifierBegin:shiqiang:identifierEnd“.
It's not clear what, if any, purpose the string serves, but Norman researchers started digging through the company's malware database, looking for other samples with the same string. Lo and behold, there were more than 20 samples with the same odd string, and each of them included a stolen digital certificate. Many of the certificates are still valid right now. All of the malware samples, save one, was some version of the Etchfro Trojan. The other one is a version of the infamous Gh0st RAT tool.
The targets of the malware used in this attack are interesting. As has been the case with similar attacks that have employed stolen certificates, many of the malicious documents used in these attacks indicate that the attackers are going after organizations and individuals who are opposed to the Chinese government's policies. Researchers have uncovered several other examples of attackers, whether they be government-sponsored or private, going after human rights activists, Tibetan nationalists and others who oppose the Chinese government.