Cybercriminals have graduated from buying digital certificates to stealing them.

A few weeks ago we learned that cybercriminals believed to be a part of the infamous Lazarus Group had created a legitimate seeming company to acquire a valid digital certificate for the AppleJeus malware. That certificate allowed the malware to pass through a system unnoticed because it contained the correct certificate.

But now Kaspersky Lab’s Global Research and Analysis Team (GReAT) has discovered a form of malware that simply stole the certificate it needed.

“The Trojan discovered by Kaspersky Lab experts infected a target computer via a driver built by the threat actors. This allowed the attackers to execute all common tasks such as command execution, downloading and uploading files, and to intercept network traffic,” says the GReAT team.

The firm says that the Trojan appears to have stolen a digital certificate from a security related software developer based in China.

It gets worse though.

The actor behind this Trojan is believed to be LuckyMouse and, according to GReAT, the Trojan is simply a collection of publicly available code.

“Another noteworthy feature of the driver is that despite Luckymouse’s ability to create its own malicious software, the software used in the attack appeared to be a combination of publicly available code samples from the public repositories and custom malware,” says the research team.

While this does make attributing the Trojan to one specific actor difficult, GReAT is confident that LuckMouse is behind the malware as the code contacts a command and control server previously known as LuckyMouse C2.

While the threat appears to have targeted Asian government entities, GReAT advises companies take the following actions to protect against threats such as this.

  • Do not automatically trust the code running on your systems. Digital certificates do not guarantee the absence of backdoors.
  • Use a robust security solution, equipped with malicious-behaviour detection technologies that enable even previously unknown threats to be caught.
  • Subscribe your organisation’s security team to a high quality threat intelligence reporting service in order to get early access to information on the most recent developments in the tactics, techniques and procedures of sophisticated threat actors.


[Source – Kaspersky Lab] [Image – CC 0 Pixabay]