A group of cybercriminals known to perform cyber espionage known as BlackTech stole digital certificates from two Taiwan-based tech companies. The group then used the certificates to sign two of their malwares to pass them off as legitimate software. According to a detailed blog post by Eset Security, the group stole digital certificates from D-Link, the company known for making network routers can cameras and Changing Information Technology. According to the post, the group used the valid certificates to sign Plead malware that was a “remote controlled backdoor” into any system and another piece of software that was used to steal passwords.
For the people who are unaware, the code of all the software made by companies is signed using digital certificates so that operating systems such as Microsoft Windows, Apple macOS, and others can verify the files. This means that the operating system is able to check that the program files, usually a file with the extension .exe which is also known as an executable file that a user has downloaded are made by trusted software companies. The verification is done with the help of cryptographic signatures that these certificates imprint on the file. Signing malware and viruses with the help of digital certificates can then trick the operating system to not implement its defense mechanisms.
Watch: OnePlus 6 Red First Look
The security firm notified D-Link after discovering this and after an investigation, D-Link issued a support announcement informing everyone about revoking its stolen digital certificate. The blog also pointed out it looks like the group is “highly skilled” as it has compromised “several Taiwan-based technology companies” to “reuse their code-signing certificates”.
The company also pointed out that the Plead malware was full of unclear junk code while built to serve a single purpose, to download files from a remote server and opening “a small encrypted binary blob” on the local disk. The blob then downloads the final “Plead backdoor module” on the system. The second malware that was meant to steal passwords collected the passwords that were saved by Google Chrome, Internet Explorer, Microsoft Outlook, and Mozilla Firefox on the system.