Hacking operations depend on various factors. When it comes to the Suckfly gang, one of the key factors for such an operation is having lots of stolen code-signing certificates on hand to make its custom malware look legitimate.
According to security reserachers, since 2014, the group has used about nine separate signing certificates from nine separate companies to digitally sign its hacking wares. The experts first came upon the group last year when they identified a brute-force server message-block scanner which was signed with a certificate belonging to a South Korean mobile software developer. When the experts searched for other executable files which used the same credential, they eventually uncovered three more custom tools from the same group of cyber criminals.
The researchers traced the hacking group’s traffic to IP addresses in China and identified a significantly larger collection of custom-developed backdoors and hacking tools which were signed by nine different certificates from nine different companies.
The most interesting fact here was that all nine of the compromised companies are located within a few miles of each other in Seoul. While the physical proximity is suspicious, the malware experts speculated the certificate thefts weren’t the result of any physical attack and were most likely the result of the owners being infected with malware which had the ability to search for and extract signing certificates. This is the first time when advanced malware outfits have used stolen certificates.
Six years ago, the Stuxnet worm which disrupted Iran’s nuclear program, was signed with legitimate certificates from companies located in Taiwan. Malware dubbed Winnti, revealed in 2013 and targeting over 30 online video game companies, also used stolen certificates. The same did an advanced persistent threat group called Hidden Lynx which was exposed the same year. Another example is Black Vine, which is a separate APT group responsible for the devastating 2014 breach of health insurer Anthem.
The certificate-theft attacks come as operating systems increasingly make code signing a requirement for installing apps.
“Signing malware with code-signing certificates is becoming more common, as seen in this investigation and the other attacks we have discussed,” the researcher Jon DiMaggio wrote.
“Attackers are taking the time and effort to steal certificates because it is becoming necessary to gain a foothold on a targeted computer. Attempts to sign malware with code-signing certificates have become more common as the Internet and security systems have moved towards a more trust and reputation oriented model. This means that untrusted software may not be allowed to run unless it is signed.”
“Our investigation shines a light on an often unknown and seedier secret life of code-signing certificates, which is completely unknown to their owners,” Jon DiMaggio concluded.
“The implications of this study shows that certificate owners need to keep a careful eye on them to prevent them from falling into the wrong hands. It is important to give certificates the protection they need so they can’t be used maliciously.”