Stolen certificates used to deliver trojans in spear phishing campaign

Share this article:
$30 RAT, WinSpy, involved in two phishing campaigns
Spear phishers are using stolen certificates to deliver remote access trojans.

Researchers with McAfee Labs have identified a string of spear phishing attacks, against nongovernmental organizations and activists mostly in China, in which stolen digital certificates are being used to deliver remote access trojans.

The campaign dates as far back as July 2013, according to a Friday post by Rahul Mohandas, a security analyst with McAfee Labs, which identifies the valid signatures as “Zhengzhou hanJiang Electronic Technology Co., Ltd,” verified by Thawte, and “Jiangxi you ma chuang da Software Technology Co., Ltd,” verified by Verisign.

The remote access trojans come attached to emails and appear as Microsoft Word documents, Adam Wosotowsky, messaging data architect at McAfee, told in a Monday email correspondence.

“The remote access trojan allows the attacker to access a computer and take any information from it,” Wosotowsky said. “As the targets are nongovernmental organizations [and activists], the likely target data is member lists, activity plans, foreign aid/sympathizers and any financial information available.”

The campaign also takes advantage of an arbitrary-code-execution exploit, referred to as CVE-2012-0158, which makes it possible for someone to execute code at the access level of the application being attacked, Wosotowsky said.

“There is only limited role-restriction on many Windows installs in the first place, but in this case it exploits ActiveX components, which are associated with video processing and will generally run at a system level of access,” Wosotowsky said.

The group is being referred to as the Shiqiang Group, or Shiqiang Gang, because of one of the certificates the team is using to bypass some whitelisting defenses, Wosotowsky said, adding that the phishers may have existed prior to this campaign.

Defending against these types of spear phishing attacks involves a layered defense coupled with employee education and awareness of security threats, according to Wosotowsky.

“[Layering] starts at the border with email and web security, exists on workstations with local [anti-virus], your last line of defense before infection occurs, and includes network behavior monitoring that can catch established infections by monitoring outgoing data,” Wosotowsky said.

Share this article:

Sign up to our newsletters

More in News

Senator Leahy prepares bill to tackle NSA snooping

The bill is set to be introduced on Tuesday.

Malware used to compromise payment cards at Wendy's restaurant in Michigan

Customers who paid with credit and debit cards at a Wendy's in Michigan may have had their payment card compromised if they used it at the restaurant for about a month prior to July 15.

Report: Japan eyes law requiring security incident reporting

Bloomberg says the Japanese government is eyeing cyber security legislation to make companies 'fess up to security incidents impacting users.