Opera Code-Signing Certificate Stolen, Malware Signed and Distributed

Opera Software said it will share additional information today about the theft of a code-signing certificate used to sign malware.

Opera Software said it was able to contain the impact of a security breach that resulted in the theft of an expired code-signing certificate used to sign malware distributed to Windows users during a 36-minute stretch on June 19.

Opera developer Sigbjorn Vik said the browser maker was victimized in a targeted attack against its internal network and an expired certificate was stolen.

“The current evidence suggests a limited impact,” Vik wrote in a blogpost. “This has allowed [the attackers] to distribute malicious software which incorrectly appears to have been published by Opera Software, or appears to be the Opera browser.”

Vik told Threatpost that more details are expected to be shared today by the company. “The evidence we have uncovered so far, suggests that this was the only certificate stolen, however we are investigating the matter to be certain,” he said.

Opera has anywhere between 1 percent and 3 percent of the desktop browser market share, according to a number of sources; in comparison, Google Chrome leads with between 40% and 45% of market share.

Vik said that Opera’s network has been “cleaned” and no user data was compromised. The stolen certificate was valid until 12:59 a.m. on Jan 29, Vik said.

Vik suggested that a few thousand Windows users could have been infected on June 19 between 1.00 and 1.36 UTC. A new version of Opera is available with a new code-signing certificate, he said.

“The active attack on Opera users ended shortly after it began,” Vik said, adding that because of security reasons, they could not comment on the details of how the attackers compromised the Opera network.

A VirusTotal scan of the hash provided by Opera suggests the malware is a keylogging Trojan that opens a backdoor to a command infrastructure where stolen data such as credentials and payment card information is sent. Kaspersky Lab detects this malware as Trojan-PSW.Win32.Tepfer.msdu.

Opera isn’t the first to fall victim to this type of attack. In September, Adobe confessed to an APT-style attack on its network which resulted in the loss of a valid Adobe code-signing certificate. Attackers penetrated the network and moved laterally on it until reaching a build server from which they requested digital signatures for a pair of malicious utilities. The signature was revoked by Adobe a week later.

Adobe CSO Brad Arkin said at the time the certificate was used to sign only two utilities: pwdump7 v7.1, which extracts password hashes from Windows and sometimes links the OpenSSL library libeay32.dll; and myGeeksmail.dll, a malicious ISAPI filter that runs on the Microsoft Web server software IIS. ISAPI can be used to modify IIS’ functionality.

Suggested articles