Stolen D-Link certificates used to sign password stealing malware

Share this…

It wasn’t the IP camera software that we thought

Recently hackers stole code signature certificates from D-Link and other Taiwan-based manufacturer of routers and cameras, employing these codes to spread malware that steals passwords and backdoors from PCs, as reported by specialists in secure data destruction.

Certificates were used to cryptographically verify that D-Link and Changing Information Technology issued legitimate software. Microsoft Windows, Apple MacOS, and other operating systems rely on cryptographic signatures produced by such certificates to help users ensure that executable files attached to emails or downloaded in websites have been developed by reliable companies instead of malicious agents disguised as another enterprise.

Somehow, members of an advanced hacker group known as BlackTech obtained certificates belonging to D-Link and Changing Information Technology, as mentioned by experts in secure data destruction. The attackers then used the certificates to sign two pieces of malware, one of them is a remote controlled backdoor and the other is a password stealer. Both pieces of malware are known as Plead and are used in espionage campaigns against targets located in East Asia.

Secure data destruction specialists recently documented the Plead malware attacks. According to reports from the International Institute of Cyber Security, some antivirus service providers have also investigated this malware.

According to specialized reports, the ability to compromise several technology companies and reuse their code signature certificates in attacks shows that this group is highly qualified and shows special interest in that region of the world.

In a statement, D-Link officials said that two separate code signature certificates were recently diverted by a “highly active ciberespionaje group”. They also said that most D-Link customers will not be affected by the steal, but it also suggested that some people may experience errors when viewing mydlink’s IP cameras within web browsers. The company engineers are in the process of releasing the updated firmware to correct the bugs. People who use mobile applications from mydlink are not affected.

Both D-Link and Changing Information Technology have revoked the stolen certificates. Until the D-Link firmware is issued, the company recommends people who wish to use browsers to view their affected D-link cameras temporarily ignoring the certificate revocation warnings. Although this could be a bad advice that malware operators could take advantage of.