PLEAD Malware Campaign

The researchers of a Slovakian based IT security company have detected an information theft malware campaign thriving on stolen digital certificates. These stolen digital certificates are creating a safe passage for the 'PLEAD' Malware campaign. 

The digital certificates also known as code-signing certificates gives insights about the authenticity of the application it is associated with.    

It has been reported that, during routine checks the researchers at ESET detected suspicious files linked to the PLEAD malware campaign. After further investigation, it was then discovered that the malicious files were digitally signed using a valid D-Link Corporation & Changing Information Technology Inc. code signing certificate. Both these digital certificate later turned out to have been stolen from both the Taiwanese multinational companies.  

 About PLEAD Malware Campaign:

PLEAD—A known malware was detected for the first time in 2012, the malware was repeatedly used to target Taiwanese private and government organizations.  PLEAD malware campaign has two components, namely, an exfiltration tool and a backdoor. The backdoor acts as a safe path for malicious actors to infiltrate a system and gain remote access while the exfiltration tool is used to steal passwords from Mozilla Firefox, Microsoft Internet Explorer, Google Chrome and Microsoft Outlook.  

The PLEAD malware campaign has been linked to a highly skilled cyberespionage group called BlackTech. There is no doubt that BlackTech group has shown a great deal of expertise by reusing code signing certificates to allow malware appear as legitimate applications.  

Similar Incidents in the Past:

Nevertheless, this is not the first time that the misusage of code-signing certificates has made it to the headlines. Back in March 2016, Symantec had identified a China based APT group to have used a stolen digital certificate to make a hack tool look legitimate. Later on it was known that the digital certificate that the group used to coverup their hack tool was associated with a well-known South Korean mobile software developer. The famous malware Stuxnet, used in the 2010 attack targeting Iranian nuclear facilities also were digitally signed by a stolen code signing certificate of two Taiwan based tech companies Realtek and JMicron.  

Monday, July 9, 2018 By anish