Security researchers have warned that someone's obtained copies of code-signing certificates from two Taiwanese companies – and is using them to sign malware.
Abusing code-signing certificates in this way is an attempt to present software nasties as the legitimate product of the vendor whose key signed it.
Security vendor ESET spotted the certificates being used to sign files that its systems were marking as suspicious. One of the certs was from D-Link, and the other from Changing Information Technology (CIT). Both certificates have since been revoked, so eventually machines will pick up the revocations and reject the executables, hopefully.
D-Link's now-revoked certificate was used to sign code for its mydlink IP cameras. The ESET post doesn't identify which of CITs products is associated with its key, but noted that it had malware samples still using the cert even after it was revoked.
ESET said the compromised certificates were used to sign Windows malware dubbed Plead, which siphons off passwords entered into infected machines' web browsers and opens remote-control backdoors. Japan's CERT analyzed Plead in early June.
The command and control servers associated with Plead, ESET's post said, are
amazon.panasocin[.]com, office.panasocin[.]com, and okinawas.ssl443[.]org.
In late June, Trend Micro dubbed the group involved with the campaign BlackTech, and said its main targets are in Taiwan, Japan, and Hong Kong.
Plead has been active since 2012, Trend Micro's post said, and all the BlackTech campaigns (as well as Plead, there are Shrouded Crossbow and Waterbear) have at least two C&Cs in common. ®