The recent trend of attackers using stolen digital certificates to make their malicious executables look legitimate is continuing unabated, with researchers now having come across a series of variants of the Etchfro Trojan that are using certificates taken from several companies and issued by VeriSign, Thawte and other certificate authorities.
After looking at recent examples of malware signed with stolen certificates, researchers at Norman ASA, a security firm in Norway, noticed that there was an odd string in one specific optional field included in the stolen certificates. The field, named moreInfo, often is used to enter a URL for users to find more information on a company. But in the examples that Norman looked at, that field instead included the following string: “identifierBegin:shiqiang:identifierEnd“.
It’s not clear what, if any, purpose the string serves, but Norman researchers started digging through the company’s malware database, looking for other samples with the same string. Lo and behold, there were more than 20 samples with the same odd string, and each of them included a stolen digital certificate. Many of the certificates are still valid right now. All of the malware samples, save one, was some version of the Etchfro Trojan. The other one is a version of the infamous Gh0st RAT tool.
“Not all samples signed with these certificates contain the “shiqiang” string, but many do, and they just seem to keep on coming. We’ve seen this phenomenon for over a year, some very recently. Also, quite a few samples with other stolen certificates may be connected, but we have not seen them signed with the “shiqiang” string yet. This applies to, for example, the Shenzhen Xuri Weiye certificate mentioned above,” Snorre Fagerland of Norman wrote in an analysis of the malware samples.
“The companies that have lost certificates obviously have a security problem. In the case of Jiangxi You Ma Chuang Da Software Technology, the Shiqiang Gang literally seems to have moved in with their family and pets and set up tent in their code signing servers.”
The targets of the malware used in this attack are interesting. As has been the case with similar attacks that have employed stolen certificates, many of the malicious documents used in these attacks indicate that the attackers are going after organizations and individuals who are opposed to the Chinese government’s policies. Researchers have uncovered several other examples of attackers, whether they be government-sponsored or private, going after human rights activists, Tibetan nationalists and others who oppose the Chinese government.
Most recently, attackers have been seen using a new Mac OS X Trojan to target Tibetan NGOs. In that case, emails containing an exploit for a Java vulnerability were sent to target NGOs, and some of the attacks included malware for both Windows and Mac machines. Tibetan government agencies and non-governmental organizations have become frequent targets of attacks aimed at installing Trojans to enable spying operations in recent years. The most famous example of this is the GhostNet operation that was uncovered in 2009.
“The domestic political espionage seen from the Shiqiang Gang fits an emerging picture of targeted malware producers acting highly predatory at home, where mass-theft of Chinese companies’ code signing certificates is only one aspect,” Fagerland said.