Malware-slinging scum copied D-Link's code-signing certificates to dress up PC nasties

Password-stealing backdoor lobbed at Windows boxes


Security researchers have warned that someone's obtained copies of code-signing certificates from two Taiwanese companies – and is using them to sign malware.

Abusing code-signing certificates in this way is an attempt to present software nasties as the legitimate product of the vendor whose key signed it.

Security vendor ESET spotted the certificates being used to sign files that its systems were marking as suspicious. One of the certs was from D-Link, and the other from Changing Information Technology (CIT). Both certificates have since been revoked, so eventually machines will pick up the revocations and reject the executables, hopefully.

D-Link's now-revoked certificate was used to sign code for its mydlink IP cameras. The ESET post doesn't identify which of CITs products is associated with its key, but noted that it had malware samples still using the cert even after it was revoked.

ESET said the compromised certificates were used to sign Windows malware dubbed Plead, which siphons off passwords entered into infected machines' web browsers and opens remote-control backdoors. Japan's CERT analyzed Plead in early June.

The command and control servers associated with Plead, ESET's post said, are amazon.panasocin[.]com, office.panasocin[.]com, and okinawas.ssl443[.]org.

In late June, Trend Micro dubbed the group involved with the campaign BlackTech, and said its main targets are in Taiwan, Japan, and Hong Kong.

Plead has been active since 2012, Trend Micro's post said, and all the BlackTech campaigns (as well as Plead, there are Shrouded Crossbow and Waterbear) have at least two C&Cs in common. ®


Tech Resources

Webcast Slide Deck | How backup modernization changes the ransomware game

If the thrill of backing up your data and wondering if you will ever see it again has worn off, start the new year by getting rid of the lingering pain of legacy backup. Bipul Sinha, CEO of the Cloud Data Management Company, Rubrik, and Miguel Zatarain, Director of Global Infrastructure Technology at PACCAR, Fortune 500 manufacturer of trucks and Rubrik customer, are talking to the Reg’s Tim Phillips about how to eliminate the costly, slow and spotty performance of legacy backup, and how to modernize your implementation in 2021 to make your business more resilient.

What WAF is right for you

Applications are architected in many ways, but all need protection from threats. Learn the most important things to consider when choosing a WAF.

Three reasons you need a hybrid multicloud

Businesses need their IT teams to operate applications and data in a hybrid environment spanning on-premises private and public clouds. But this poses many challenges, such as managing complex networking, re-architecting applications for the cloud, and managing multiple infrastructure silos. There is a pressing need for a single platform that addresses these challenges - a hybrid multicloud built for the digital innovation era. Just this Regcast to find out: Why hybrid multicloud is the ideal path to accelerate cloud migration.

Top 20 Private Cloud Questions Answered

Download this asset for straight answers to your top private cloud questions.

Biting the hand that feeds IT © 1998–2021