Stolen certificates used to deliver trojans in spear phishing campaign

Share this article:
$30 RAT, WinSpy, involved in two phishing campaigns
Spear phishers are using stolen certificates to deliver remote access trojans.

Researchers with McAfee Labs have identified a string of spear phishing attacks, against nongovernmental organizations and activists mostly in China, in which stolen digital certificates are being used to deliver remote access trojans.

The campaign dates as far back as July 2013, according to a Friday post by Rahul Mohandas, a security analyst with McAfee Labs, which identifies the valid signatures as “Zhengzhou hanJiang Electronic Technology Co., Ltd,” verified by Thawte, and “Jiangxi you ma chuang da Software Technology Co., Ltd,” verified by Verisign.

The remote access trojans come attached to emails and appear as Microsoft Word documents, Adam Wosotowsky, messaging data architect at McAfee, told SCMagazine.com in a Monday email correspondence.

“The remote access trojan allows the attacker to access a computer and take any information from it,” Wosotowsky said. “As the targets are nongovernmental organizations [and activists], the likely target data is member lists, activity plans, foreign aid/sympathizers and any financial information available.”

The campaign also takes advantage of an arbitrary-code-execution exploit, referred to as CVE-2012-0158, which makes it possible for someone to execute code at the access level of the application being attacked, Wosotowsky said.

“There is only limited role-restriction on many Windows installs in the first place, but in this case it exploits ActiveX components, which are associated with video processing and will generally run at a system level of access,” Wosotowsky said.

The group is being referred to as the Shiqiang Group, or Shiqiang Gang, because of one of the certificates the team is using to bypass some whitelisting defenses, Wosotowsky said, adding that the phishers may have existed prior to this campaign.

Defending against these types of spear phishing attacks involves a layered defense coupled with employee education and awareness of security threats, according to Wosotowsky.

“[Layering] starts at the border with email and web security, exists on workstations with local [anti-virus], your last line of defense before infection occurs, and includes network behavior monitoring that can catch established infections by monitoring outgoing data,” Wosotowsky said.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

NIST finalizes cloud computing roadmap

NIST finalizes cloud computing roadmap

The NIST architecture is designed to accelerate the adoption of cloud computing.

Chinese MitM attack targets iCloud users

Chinese MitM attack targets iCloud users

The attack used a false certificate to trick iCloud users into handing over personal data and login credentials. With an attack of this size, some experts and researchers believe the ...

EPIC: driver data shared via V2V technology needs protection

The groups shared comments on V2V communications with the National Highway Traffic Safety Administration.