Data Thieves Exploit New Certificate Abuse Tactic

New Type of Certificate Abuse Used to Spread Info-Stealing Malware

Introduction

In recent months, cyber attackers have been employing a new tactic known as certificate abuse to spread info-stealing malware, with a particular focus on stealing credentials and sensitive data. This campaign utilizes search engine optimization (SEO) poisoning to manipulate search results and redirect users to malicious pages promoting illegal software cracks and downloads. The malware involved in this campaign is known as LummaC2 and RecordBreaker, also known as Raccoon Stealer V2. Researchers from AhnLab, a South Korea-based cybersecurity company, have shed light on this emerging threat in a recent blog post.

The Technique

The certificate abuse technique observed in this campaign involves the use of abnormal certificates with unusually long strings in the Subject Name and Issuer Name fields. These strings include non-English languages, such as Arabic and Japanese, as well as special characters and punctuation marks. These abnormal certificates require specific tools or infrastructure to inspect, making them invisible in Windows systems. The use of long strings and non-English characters serves to confuse and evade signature verification processes, potentially allowing the malware to bypass certain defenses.

The Delivery Method

The malware is primarily delivered through websites that promote illegal cracks and downloads. These sites serve as a front for the distribution of the malware, masquerading as legitimate .NET installers. Additionally, researchers have also observed the distribution of Raccoon Stealer V2 through YouTube and other malware sources. This multi-channel approach increases the attackers’ chances of infecting unsuspecting users.

Malicious Functionality and Implications

Both LummaC2 and Raccoon Stealer are well-known to security researchers and are designed to steal sensitive user information from infected systems. Upon infection, these malware variants can transmit various types of data, including browser-saved account credentials, documents, and cryptocurrency wallet files. The stolen data is then sent to the threat actor, potentially resulting in severe secondary damages. Furthermore, these malware variants also install additional malicious software chosen by the attackers, enabling further malicious activities.

The Significance and Recommendations

The emergence of this novel certificate abuse technique highlights the evolving strategies employed by cybercriminals to evade detection and exploit unsuspecting users. While the success of this technique has been limited thus far, it is crucial for Windows users to exercise caution when downloading software online, particularly from websites known to offer illegal versions of popular applications.

To mitigate the risk of falling victim to such threats, it is advisable to rely on official sources for software downloads, such as the official websites of software providers. Users should also maintain up-to-date antivirus and anti-malware software, as well as regular system updates. Additionally, being aware of the indicators of compromise provided by AhnLab researchers and remaining vigilant to suspicious URLs and unexpected download prompts can help protect against these malicious campaigns.

Conclusion

The new type of certificate abuse utilized by cyber attackers to spread info-stealing malware is a concerning development in the cybersecurity landscape. By employing abnormal certificates featuring long strings and non-English characters, the attackers aim to bypass security measures and collect sensitive user data. Users must prioritize their online security by adopting preventive measures and staying informed about emerging threats. As the threat landscape continues to evolve, greater awareness and enhanced cybersecurity practices are essential to safeguard personal and organizational data.