Categories: Cyber CrimeMalware

Stolen Sony certificates used to digitally sign Destover Malware

Security experts at Kaspersky Lab have detected a strain of Destover Malware that has been digitally signed with the certificates stolen during Sony attack.

Security experts have detected a new strain of the Destover malware that was used in the recent Sony Pictures Entertainment breaches characterized by a singular feature, the sample is signed by a legitimate certificate stolen from Sony. Destover was detected several times in the last years, one of the most clamorous attacks is DarkSeoul run by Whois team that in 2013 targeted media and banking of the the South Korea, and the television networks YTN, MBC and KBS and Shinhan Bank and NongHyup Bank, two major banks of the country, suffered serious outage.

The Destover family of trojans it is known because once compromised the machine it is able to steal data and wipe all the information it stores.

The new variant is identical to an earlier version of Destover that was not signed. The group that claimed credit for the attack against the Sony Pictures, the GOP,  has stolen a huge amount of data from the company, including corporate sensitive information, unreleased movies and evidently also digital certificates used to sign the Destover sample.

The attackers are  gradually releasing large amounts of information stolen in the data breach and they are starting to use them to hit the company and its employees. Last week, Sony Pictures Employees received threatening emails sent by the GOP collective, now they using the stolen digital certificates to sign the malicious code.

The new, signed version of Destover appears to have been compiled in July 2014 and was signed on last Dec. 5.

“The signed sample has been previously observed in a non signed form, as MD5:6467c6df4ba4526c7f7a7bc950bd47eb and appears to have been compiled in July 2014. The new sample has the MD5 e904bf93403c0fb08b9683a9e858c73e and appears to have been signed on December 5th, 2014, just a few days ago.” states a blog post published on SecureList.

 

The use of digitally signed code of an application has main purpose is to increase the trust in the development process, avoiding fraud and software alterations. The practice of digitally sign malicious code is very common with communities of malware coders, it allows to elude all controls and related alerts provided for the execution of software developed by non-accredited firms.

“In all three cases: Shamoon, DarkSeoul and Destover, the groups claiming credit for their destructive impact across entire large networks had no history or real identity of their own,” said Kurt Baumgartner of Kaspersky Lab.  “All attempted to disappear following their act, did not make clear statements but did make bizarre and roundabout accusations of criminal conduct, and instigated their destructive acts immediately after a politically-charged event that was suggested as having been at the heart of the matter.”

As explained by the experts at Kaspersky there is the concrete risk that the stolen digital certificates used to sign the Destover malware could be used in other attacks.

“The stolen Sony certificates (which were also leaked by the attackers) can be used to sign other malicious samples. In turn, these can be further used in other attacks. Because the Sony digital certificates are trusted by security solutions, this makes attacks more effective,” wrote Kaspersky researchers.

Below the Stolen digital certificate serial number:

01 e2 b4 f7 59 81 1c 64 37 9f ca 0b e7 6d 2d ce

Pierluigi Paganini

(Security Affairs –  Destover malware, Sony Pictures, digital certificate)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco warns of password-spraying attacks targeting Secure Firewall devices

Cisco warns customers of password-spraying attacks that have been targeting Remote Access VPN (RAVPN) services…

38 mins ago

American fast-fashion firm Hot Topic hit by credential stuffing attacks

Hot Topic suffered credential stuffing attacks that exposed customers' personal information and partial payment data.…

4 hours ago

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

18 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

1 day ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

2 days ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

2 days ago

This website uses cookies.