Incident Response, TDR

Stolen certificates used to deliver trojans in spear phishing campaign


Researchers with McAfee Labs have identified a string of spear phishing attacks, against nongovernmental organizations and activists mostly in China, in which stolen digital certificates are being used to deliver remote access trojans.

The campaign dates as far back as July 2013, according to a Friday post by Rahul Mohandas, a security analyst with McAfee Labs, which identifies the valid signatures as “Zhengzhou hanJiang Electronic Technology Co., Ltd,” verified by Thawte, and “Jiangxi you ma chuang da Software Technology Co., Ltd,” verified by Verisign.

The remote access trojans come attached to emails and appear as Microsoft Word documents, Adam Wosotowsky, messaging data architect at McAfee, told in a Monday email correspondence.

“The remote access trojan allows the attacker to access a computer and take any information from it,” Wosotowsky said. “As the targets are nongovernmental organizations [and activists], the likely target data is member lists, activity plans, foreign aid/sympathizers and any financial information available.”

The campaign also takes advantage of an arbitrary-code-execution exploit, referred to as CVE-2012-0158, which makes it possible for someone to execute code at the access level of the application being attacked, Wosotowsky said.

“There is only limited role-restriction on many Windows installs in the first place, but in this case it exploits ActiveX components, which are associated with video processing and will generally run at a system level of access,” Wosotowsky said.

The group is being referred to as the Shiqiang Group, or Shiqiang Gang, because of one of the certificates the team is using to bypass some whitelisting defenses, Wosotowsky said, adding that the phishers may have existed prior to this campaign.

Defending against these types of spear phishing attacks involves a layered defense coupled with employee education and awareness of security threats, according to Wosotowsky.

“[Layering] starts at the border with email and web security, exists on workstations with local [anti-virus], your last line of defense before infection occurs, and includes network behavior monitoring that can catch established infections by monitoring outgoing data,” Wosotowsky said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.