How is Plead malware used for cyberespionage attacks?

Cyberespionage hackers have used stolen digital certificates to steal data. Expert Michael Cobb explains how hackers sign Plead malware to conduct these attacks.

An espionage group used stolen digital certificates to sign Plead malware and used a password stealer component that was also used in attacks in East Asia. How does this attack work, and how does one steal digital certificates?

Users increasingly need assurance that they can trust the software they download from the internet. A code-signing certificate allows developers to provide a layer of assurance to anyone downloading or installing their software, as it validates the content's source: who published the software, as well as the content's integrity -- proof that it hasn't been modified since it was signed. This acts as a virtual shrink-wrap for software, as the digital signature will break if the code is altered in any way after it is signed.

Unlike web server TLS certificates, code-signing certificates can't be obtained for free, as a certificate authority (CA) carries out more detailed checks to verify that the information supplied by the developer or his company is correct and truthful.

While code-signing certificates ensure the identity of the code developer, they don't necessarily ensure that they are trustworthy. However, having to register with a CA is a big deterrent to attackers, as it's much easier to identify and track down developers if they distribute malicious code. However, this can also make stolen code-signing certificates attractive, as a hacker can make their malicious code appear trustworthy by signing it with a stolen but valid certificate.

This signed malware has a far greater chance of being downloaded and used because it appears legitimate to both users and security controls, such as antivirus software. The infamous Stuxnet worm, discovered in 2010, used several digital certificates stolen from Taiwanese-based tech companies Realtek and JMicron.

Researchers at ESET found stolen digital certificates being used as part of a spear phishing campaign to spread the remotely controlled backdoor Plead malware and a password stealer designed to collect saved passwords from Google Chrome, Microsoft Internet Explorer, Microsoft Outlook and Mozilla Firefox.

Plead malware downloads a small encrypted binary blob from a remote server or opens it from a local disk. This binary blob contains shell code that downloads the full backdoor module and then executes it to maintain persistence on the infected system.

The files downloaded by the Plead malware were digitally signed using valid D-Link Systems Inc. and Changing Information Technology Inc. code-signing certificates. D-Link has since revoked the compromised digital certificates, and the Changing Information Technology certificate was revoked on July ‎4, ‎2017.

The BlackTech group, the highly skilled cyberespionage team thought to be behind the Plead malware attacks, has been able to successfully continue using the revoked certificates to sign their malware because some programs just check if the code is signed and don't check the validity of the actual code-signing certificate.

Stealing a genuine company's code-signing certificate requires a certain degree of skill, and Trend Micro has uncovered a supply chain attack that is targeting organizations in South Korea. Attackers first steal the certificate of a support solutions provider and then use it to sign their malware so that they can deliver a remote access tool to their principal target victim via the update process. By attacking and compromising smaller companies first, attackers can compromise heavily defended networks with signed malware to steal the well-respected code-signing certificates they need.

Ask the expert:
Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)

Dig Deeper on Threats and vulnerabilities