Stolen Sony certificates used to digitally sign Destover Malware

Pierluigi Paganini December 10, 2014

Security experts at Kaspersky Lab have detected a strain of Destover Malware that has been digitally signed with the certificates stolen during Sony attack.

Security experts have detected a new strain of the Destover malware that was used in the recent Sony Pictures Entertainment breaches characterized by a singular feature, the sample is signed by a legitimate certificate stolen from Sony. Destover was detected several times in the last years, one of the most clamorous attacks is DarkSeoul run by Whois team that in 2013 targeted media and banking of the the South Korea, and the television networks YTN, MBC and KBS and Shinhan Bank and NongHyup Bank, two major banks of the country, suffered serious outage.

The Destover family of trojans it is known because once compromised the machine it is able to steal data and wipe all the information it stores.

The new variant is identical to an earlier version of Destover that was not signed. The group that claimed credit for the attack against the Sony Pictures, the GOP,  has stolen a huge amount of data from the company, including corporate sensitive information, unreleased movies and evidently also digital certificates used to sign the Destover sample.

The attackers are  gradually releasing large amounts of information stolen in the data breach and they are starting to use them to hit the company and its employees. Last week, Sony Pictures Employees received threatening emails sent by the GOP collective, now they using the stolen digital certificates to sign the malicious code.

The new, signed version of Destover appears to have been compiled in July 2014 and was signed on last Dec. 5.

“The signed sample has been previously observed in a non signed form, as MD5:6467c6df4ba4526c7f7a7bc950bd47eb and appears to have been compiled in July 2014. The new sample has the MD5 e904bf93403c0fb08b9683a9e858c73e and appears to have been signed on December 5th, 2014, just a few days ago.” states a blog post published on SecureList.

Destover malware signed


The use of digitally signed code of an application has main purpose is to increase the trust in the development process, avoiding fraud and software alterations. The practice of digitally sign malicious code is very common with communities of malware coders, it allows to elude all controls and related alerts provided for the execution of software developed by non-accredited firms.

“In all three cases: Shamoon, DarkSeoul and Destover, the groups claiming credit for their destructive impact across entire large networks had no history or real identity of their own,” said Kurt Baumgartner of Kaspersky Lab.  “All attempted to disappear following their act, did not make clear statements but did make bizarre and roundabout accusations of criminal conduct, and instigated their destructive acts immediately after a politically-charged event that was suggested as having been at the heart of the matter.”

As explained by the experts at Kaspersky there is the concrete risk that the stolen digital certificates used to sign the Destover malware could be used in other attacks.

“The stolen Sony certificates (which were also leaked by the attackers) can be used to sign other malicious samples. In turn, these can be further used in other attacks. Because the Sony digital certificates are trusted by security solutions, this makes attacks more effective,” wrote Kaspersky researchers.

Below the Stolen digital certificate serial number:

01 e2 b4 f7 59 81 1c 64 37 9f ca 0b e7 6d 2d ce

Pierluigi Paganini

(Security Affairs –  Destover malware, Sony Pictures, digital certificate)

you might also like

leave a comment