The attackers behind the recently disclosed Duqu 2.0 APT have used stolen digital certificates to help sneak their malware past security defenses, and one of the certificates used in the attacks was issued to Foxconn, the Chinese company that manufactures products for Apple, BlackBerry, Dell, and many other companies.
Researchers at Kaspersky Lab, who discovered the Duqu 2.0 campaign, said Monday that the certificate was used as part of their technique to get malicious traffic in and out of compromised networks. Because the Duqu 2.0 malware doesn’t have a typical persistent mechanism, the attackers used a variety of methods for ensuring they could access target systems as needed. One of those techniques involves the attackers installing malicious drivers on network gear, including firewalls, and then using them to redirect traffic to a specific set of ports.
“The attackers created an unusual persistence module which they deploy on compromised networks. It serves a double function – it also supports a hidden C&C communication scheme. This organization-level persistence is achieved by a driver that is installed as a normal system service. On 64-bit systems, this implies a strict requirement for an Authenticode digital signature. We have seen two such persistence drivers deployed in the course of attacks,” an analysis from the Kaspersky researchers says.
The use of stolen certificates to sign malware is nothing new. Malware authors have been using this technique for several years and it has been seen in a number of high-level attacks, including Stuxnet. The tactic allows the attackers to get their malware past many kinds of security software, which typically treat signed files as benign. The certificate used by the Duqu 2.0 attackers was issued to Foxconn, formally known as Hon Hai Precision Industry, by VeriSign on Aug. 25, 2012. It was used to sign the malicious driver on Feb. 19, but the Kaspersky researchers said they don’t believe that Foxconn itself has been compromised.
The way that the certificates are used by the Duqu attackers is somewhat unusual. Rather than using one certificate for multiple modules or drivers, the group seems to have access to a sizable cache of stolen certificates and use each one just once.
“Another interesting observation is that besides these Duqu drivers we haven’t uncovered any other malware signed with the same certificates. That rules out the possibility that the certificates have been leaked and are being used by multiple groups. It also seems to indicate the Duqu attackers are the only ones who have access to these certificates, which strengthens the theory they hacked the hardware manufacturers in order to get these certificates,” the Kaspersky analysis says.
“Finally, it’s interesting that the Duqu attackers are also careful enough not to use same digital certificate twice. This is something we have seen with Duqu from both 2011 and 2015. If that’s true, then it means that the attackers might have enough alternative stolen digital certificates from other manufacturers that are ready to be used during the next targeted attack. This would be extremely alarming because it effectively undermines trust in digital certificates.”