Malware

Malware campaign employs fake security certificate updates

Crooks are using a new phishing technique to trick victims into accepting the installation of a security certificate update and deliver malware.

Security experts from Kaspersky Lab discovered spotted a new attack technique used by crooks to distribute malware by tricking victims into installing a malicious “security certificate update” when they visit compromised websites.

We have already observed threat actors distributing malware masqueraded by legitimate software updates. The new technique differs from previous ones because visitors to infected websites are asked to install a software update because the security certificate had expired.

“we recently discovered a new approach to this well-known method: visitors to infected sites were informed that some kind of security certificate had expired. Unsurprisingly, the update on offer was malicious.” reads the report published Kaspersky.

“We detected the infection on variously themed websites — from a zoo to a store selling auto parts. The earliest infections found date back to January 16, 2020.”

The attackers that are using this new technique compromised a variety of websites, ranging from a zoo to an e-store selling vehicle parts. The first infections employed in these attacks date back to January 16, 2020. 

The compromised websites display a message claiming the website’s security certificate is expired and urge visitors to install a “security certificate update” to correctly view the content of the website. 

The message is contained within an iframe and content is loaded via a ldfidfa[.]pw/jquery.js script from a third-party server.

While the script is loaded, the URL bar still displays the legitimate address.

“The jquery.js script overlays an iframe that is exactly the same size as the page,” continues the analysis. “As a result, instead of the original page, the user sees a seemingly genuine banner urgently prompting to install a certificate update.”

Once the victim clicked on the update button, a file is downloaded (Certificate_Update_v02.2020.exe). 

The executable unpacks and installs one of two malware variants to the victim, tracked as Mokes and Buerak. 

The Mokes backdoor allows hackers to execute arbitrary commands on the victim’s computer, it works on Linux, Windows and also OS X.

Buerak is a Windows-based Trojan that implements backdoor capabilities and anti-analysis techniques. 

Kaspersky experts included in their analysis the Indicators of Compromise (IoCs).

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, undersea cables)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

American fast-fashion firm Hot Topic hit by credential stuffing attacks

Hot Topic suffered credential stuffing attacks that exposed customers' personal information and partial payment data.…

2 hours ago

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

16 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

22 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

1 day ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

2 days ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

2 days ago

This website uses cookies.