New Trojan Uses Legit Certificate

Monday, September 10, 2018 @ 04:09 PM gHale

A previously unknown Trojan appears to be related to the Chinese-speaking threat actor, LuckyMouse, researchers said.

An unusual trait of this malware is its hand-picked driver, signed with a legitimate digital certificate, which has been issued by a company developing information security-related software, said researchers at Kaspersky Lab Global Research and Analysis Team.

RELATED STORIES
ICS Attacks Continue to Rise: Report
Machine Identities Not Secure: Report
Botnet Report: Multifunctional Malware Growing
Email Impersonation Attacks Skyrocket

LuckyMouse is known for highly-targeted cyberattacks on large entities around the world. The group has hit several regions including South Eastern and Central Asia, as the threat actor’s attacks seem to have a political agenda, researchers said.

Judging by victim profiles and the group’s previous attack vectors, Kaspersky Lab researchers said the Trojan they found might have been used for nation-state backed cyberespionage. 

The Trojan discovered by Kaspersky Lab experts infected a target computer via a driver built by the threat actors. This allowed the attackers to execute all common tasks such as command execution, downloading and uploading files as well as intercepting network traffic.

The driver became the most interesting part of this campaign. To make it appear trustworthy, the group purloined a digital certificate that belonged to an information security-related software developer, and used this to sign malware samples. This was done in an attempt to avoid being detected by security solutions, since a legitimate signature makes the malware look like legal software.

Another feature of the driver is that despite LuckyMouse’s ability to create its own malicious software, the software used in the attack appeared to be a combination of publicly available code samples from public repositories and custom malware. Such simple adoption of a ready-to-use third-party code, instead of writing original code, saves developers time and makes attribution more difficult.

“When a new LuckyMouse campaign appears, it’s almost always around the same time as the lead up to a high-profile political event, and the timing of an attack usually precedes world leader summits,” said Denis Legezo, security researcher, Kaspersky Lab. “The actor isn’t too worried about attribution because they are now implementing third-party code samples into their programs – it’s not time-consuming for them to add another layer to their droppers or to develop a modification for the malware and still remain untraced.”

Click here for more details on the Trojan.



Leave a Reply

You must be logged in to post a comment.