The attackers behind the Duqu 2.0 malware that targeted Kaspersky Lab may have used stolen digital certificates from legitimate hardware manufacturers to sign the malware.
Researchers found a 64-bit driver used in the attack against Kaspersky Lab that had a digital signature from the Taiwan-based electronics manufacturer Hon Hai Precision Co, also known as Foxconn (a company that produces hardware for most major tech companies including Apple, Dell, Google, Microsoft and Sony), according to a release.
Kaspersky noted that Duqu hackers have previously used malware with Foxconn, Realtek and JMicron digital certificates in previous attacks though there is no confirmation that any of these companies have been breached.
“Valid 2048-bit digital certificates, owned and maintained by Foxconn, were used to sign Duqu 2.0 malicious drivers,” Kurt Baumgartner, principal security researcher at Kaspersky, told SCMagazine.com in a Tuesday email correspondence. “There is no other way for Duqu to misuse these digital certificates for 64-bit Windows driver loading than to steal them."
He explained that "Duqu's use of these certificates required that they be revoked by Verisign, the certificate registrar.”
During the attack, Duqu threat actors installed malicious drivers on firewalls, gateways, or other servers that had direct internet access on one side and corporate network access on the other side. As a result, the attackers achieved multiple goals simultaneously - accessed internal infrastructure from the Internet, avoided log records in corporate proxy servers and maintained a form of persistence.
Researchers also noted that the Duqu attackers were careful enough not to use the same digital certificate twice in both their 2011 and 2015 attacks, indicating that the attackers may have several stolen certificates readily available for their next attack.