Stolen certificates used to deliver trojans in spear phishing campaign

Share this article:
$30 RAT, WinSpy, involved in two phishing campaigns
Spear phishers are using stolen certificates to deliver remote access trojans.

Researchers with McAfee Labs have identified a string of spear phishing attacks, against nongovernmental organizations and activists mostly in China, in which stolen digital certificates are being used to deliver remote access trojans.

The campaign dates as far back as July 2013, according to a Friday post by Rahul Mohandas, a security analyst with McAfee Labs, which identifies the valid signatures as “Zhengzhou hanJiang Electronic Technology Co., Ltd,” verified by Thawte, and “Jiangxi you ma chuang da Software Technology Co., Ltd,” verified by Verisign.

The remote access trojans come attached to emails and appear as Microsoft Word documents, Adam Wosotowsky, messaging data architect at McAfee, told SCMagazine.com in a Monday email correspondence.

“The remote access trojan allows the attacker to access a computer and take any information from it,” Wosotowsky said. “As the targets are nongovernmental organizations [and activists], the likely target data is member lists, activity plans, foreign aid/sympathizers and any financial information available.”

The campaign also takes advantage of an arbitrary-code-execution exploit, referred to as CVE-2012-0158, which makes it possible for someone to execute code at the access level of the application being attacked, Wosotowsky said.

“There is only limited role-restriction on many Windows installs in the first place, but in this case it exploits ActiveX components, which are associated with video processing and will generally run at a system level of access,” Wosotowsky said.

The group is being referred to as the Shiqiang Group, or Shiqiang Gang, because of one of the certificates the team is using to bypass some whitelisting defenses, Wosotowsky said, adding that the phishers may have existed prior to this campaign.

Defending against these types of spear phishing attacks involves a layered defense coupled with employee education and awareness of security threats, according to Wosotowsky.

“[Layering] starts at the border with email and web security, exists on workstations with local [anti-virus], your last line of defense before infection occurs, and includes network behavior monitoring that can catch established infections by monitoring outgoing data,” Wosotowsky said.

Share this article:

Sign up to our newsletters

More in News

Medical transcription provider settles data security charges

GMR Transcription Services in California agreed to settle FTC charges related to its security practices.

Researcher hacks network connected devices in own home

Researcher hacks network connected devices in own home

In his own home, a researcher was able to hack various network connected devices that are not computers and mobile phones.

Study: Most higher ed malware infections attributed to 'Flashback'

Study: Most higher ed malware infections attributed to ...

Flashback caused a stir in 2012 when some 650,000 Macs were infected with the malware.