A New Type of Certificate Abuse Aimed at Spreading Info-Stealing Malware
Background
Attackers have recently been employing a new technique to spread info-stealing malware, with the goal of collecting credentials and other sensitive data, including cryptocurrency from Windows systems. The campaign utilizes search engine optimization (SEO) poisoning to deliver search results featuring malicious pages that promote illegal software cracks and downloads. The malware used in this campaign includes remote access Trojans (RATs) known as LummaC2 and RecordBreaker (also known as Raccoon Stealer V2).
Abnormal Certificates and Malicious Payloads
Researchers from South Korea-based AhnLab have revealed that the malware in question uses abnormal certificates that feature unusually long strings in the Subject Name and Issuer Name fields. These long strings contain Arabic, Japanese, and other non-English languages, as well as special characters and punctuation marks. These abnormal certificates require specific tools or infrastructure to inspect and are not visible in Windows systems. The use of these certificates aims to confuse and bypass some defenses.
Typical Certificate Abuse
While certificate abuse is a common tactic used by threat actors, it is typically done in a different way. Malware often disguises itself with normal certificates that can be verified, thus appearing to be authentic software. These legitimate certificates allow the malware to be successfully downloaded and executed. However, in this recent campaign, the attackers are taking a different approach by using abnormal certificates that would likely fail any signature verification.
Similar Tactics by Other Threat Actors
This new technique of using long-string certificates is reminiscent of recent tactics employed by other threat actors. For example, the RedLine and Vidar stealer malwares were observed distributing ransomware payloads signed with Extended Validation (EV) certifications. These legitimate certificates allowed the malware to slip past email security measures. LummaC2 and Raccoon Stealer, like the RedLine and Vidar stealers, have various malicious functionalities but primarily focus on stealing data from infected systems. The stolen data can include browser-saved account credentials, documents, cryptocurrency wallet files, and more.
Implications and Recommendations
While the long-string certificate technique is still in the experimental stage and has only been partially successful thus far, it is important for users to be aware of this evolving threat. Windows users, in particular, should exercise caution when downloading software online, especially from websites known for distributing illegal versions of popular applications. Users should also keep their systems and software up-to-date, as vulnerabilities can be exploited by attackers.
Conclusion
The use of abnormal certificates with long strings in an attempt to spread info-stealing malware is a concerning development in the realm of cybersecurity. Despite the limited success of this technique, it is clear that threat actors are continuously evolving their tactics to bypass defenses and steal sensitive data. It is imperative for individuals and organizations to remain vigilant, adopt robust security measures, and stay informed about emerging threats.
<< photo by Pawel Czerwinski >>
The image is for illustrative purposes only and does not depict the actual situation.
You might want to read !
- Egyptian Opposition Leader Under Attack: Targeted by Spyware, Researchers Reveal
- The Rising Threat: Unleashing the Power of Watering Hole Attacks
- Financial Security Gap: Pan-African Financial Apps Expose Encryption and Authentication Keys
- ‘Looney Tunables’ Exploits Linux Systems, Granting Root Access to Hackers
- The Implication of the Hollywood Writers Strike Resolution on Cybersecurity
- The New Normal: Cyber Warfare Raises Stakes in Israel-Hamas Conflict
- “Unlocking the Truth: Examining the Theft of User Data by DNA Testing Service 23andMe”
- Cyber Criminals Push the Boundaries: Exploring a New Wave of Certificate Abuse
- Data Thieves Exploit New Certificate Abuse Tactic
- Protecting Your Privacy: Safeguarding Your Data in ChatGPT
- The Rising Tide of Digital Anxiety: 37% Intimidated, 39% Frustrated With Online Security
- The Rise of PEAPOD: Cyberattacks and the Shadowy Targeting of Women Political Leaders
- The Pros and Cons of Australia’s National Digital ID Scheme: Expert Analysis
- Breaking Barriers: The Rapid Rise of Cloud Attacks in Just 10 Minutes
- The Hidden Threat: How Spyware Creeps Through Online Ads
- Blindsided by a Cyber Siege: Unraveling the Unprecedented Scale of the Largest-ever DDoS Attack
- The Unraveling Threat: An In-depth Look at the Critical SOCKS5 Vulnerability in cURL
- How Public Key Infrastructure (PKI) Can Help Mitigate Data Breaches
- The Surge of Ransomware Attacks: A Looming Threat to Cybersecurity
- The Urgent Imperative: Safeguarding Our Global Food Supply Against Cyber Threats
- The Rise of Russian Hacktivism: Evaluating the Real Risks and Implications
- The Rise of Exploits: The Grave Consequences of Adobe Acrobat Reader Vulnerabilities
