Backdoor malware is being spread through fake security certificate alerts

silversurfer

silversurfer

Super Moderator
Thread author
Verified
Top Poster
Staff Member
Malware Hunter
Aug 17, 2014
11,112
Content source
https://www.zdnet.com/article/backdoor-malware-is-being-spread-through-fake-security-certificate-alerts/
Backdoor and Trojan malware variants are being distributed through a new phishing technique that attempts to lure victims into accepting an "update" to website security certificates.

Certificate Authorities (CAs) distribute SSL/TLS security certificates for improved security online by providing encryption for communication channels between a browser and server -- especially important for domains providing e-commerce services -- as well as identity validation, which is intended to instill trust in a domain.

While there are cases of certificate misuse, fraud, and even cybercriminals posing as executives to obtain security certificates to sign off fraudulent domains or malware payloads, a new phishing approach is now abusing the certificate trust mechanism.

On Thursday, cybersecurity researchers from Kaspersky reported that the new technique has been spotted on a variety of websites, ranging from a zoo to an e-commerce store selling vehicle parts. The earliest infections date back to January 16, 2020.
Click to expand...
www.zdnet.com

Backdoor malware is being spread through fake security certificate alerts

Victims of this new technique are invited to install a malicious "security certificate update" when they visit compromised websites.
www.zdnet.com www.zdnet.com
 
  • Like
  • +Reputation
  • Applause
Reactions: Zartarra, upnorth, Gandalf_The_Grey and 7 others
Stopspying

Stopspying

Level 19
Verified
Top Poster
Well-known
Jan 21, 2018
814
Does anyone know if this has anything to do with Let's Encrypt revoking certificates yesterday?

community.letsencrypt.org

Revoking certain certificates on March 4

[Update 2020-03-05: The most up-to-date summary is at 2020.02.29 CAA Rechecking Bug] Due to the 2020.02.29 CAA Rechecking Bug, we unfortunately need to revoke many Let’s Encrypt TLS/SSL certificates. We’re e-mailing affected subscribers for whom we have contact information. This post and...
community.letsencrypt.org community.letsencrypt.org
 
  • Like
Reactions: upnorth and [correlate]
blackice

blackice

Level 39
Verified
Top Poster
Well-known
Apr 1, 2019
2,868
  • Like
Reactions: upnorth, Stopspying, Gandalf_The_Grey and 3 others
B

BVLon

blackice said:
This is particularly concerning for average joe users who don’t understand certificates. A very clever and dangerous attack.
Click to expand...
Users should NOT install any certificates whatsoever! They should always consult a knowledgable friend or website before they perform this action. They should also not download any executables that have been “forced”. That’s among my top 10 of security rules. If they are “forcing” you to download it, saying you need it, and it’s not you who requested it from a trusted website, immediately cancel the download, or discard the executable to the recycle bin.
 
Last edited by a moderator:
  • Like
Reactions: Stopspying and Gandalf_The_Grey
B

BVLon

Stopspying said:
Does anyone know if this has anything to do with Let's Encrypt revoking certificates yesterday?

community.letsencrypt.org

Revoking certain certificates on March 4

[Update 2020-03-05: The most up-to-date summary is at 2020.02.29 CAA Rechecking Bug] Due to the 2020.02.29 CAA Rechecking Bug, we unfortunately need to revoke many Let’s Encrypt TLS/SSL certificates. We’re e-mailing affected subscribers for whom we have contact information. This post and...
community.letsencrypt.org community.letsencrypt.org
Click to expand...

It cannot have anything to do with that, as the certificate message (according to Kaspersky, I haven’t seen it myself) is totally fake, JS-based and does not involve any certificates whatsoever. It is just another way to

1.) grab the user’s interest with fake news (mostly), but can also be with cracks, serials, keygens, or pirated content or in this case, by compromising a totally legitimate website.

2.) After the user is interested, you tell them they cannot access the resources, before they download something. We’ve seen this social engineering scheme millions of times. Nothing new here. It was mostly codecs to “watch a shocking video” before.
 
  • Like
Reactions: Stopspying
upnorth

upnorth

Level 68
Verified
Top Poster
Malware Hunter
Well-known
Jul 27, 2015
5,458
Stopspying said:
Does anyone know if this has anything to do with Let's Encrypt revoking certificates yesterday?
Click to expand...
When a Certificate is actually revoked, sites goes down real fast. That's also the fuzz and why site owners gets upset or worried if they can't update in time. Last thing I heard now is that Let's Encrypt made an extension on when the revokes will happen. This report from Kaspersky does actually involve a main domain that serve/load the iframe content.
contents loaded from the third-party resource...
Click to expand...
The iframe content is loaded from the address https...
Click to expand...
Tested on AnyRun.

This is no new attack/infection approach just as mentioned in the report, but the new part is what Kaspersky notice with the use of a Certificate message. Personal I was curious if the used domain that serve/load the malicious content will go down when Let's Encrypt pulls the plug. Nope, as their certificate is not affected by the Bug and therefor not in need for a revoke. Also tested.
05pUKlyW_o.png

In plain English. This specific malware and it's attack vector has nothing to do with Let's Encrypts revoke decision on certificates other then what the Kaspersky report mentioned about the domain and what's seen in the screenshot.
 
  • Like
Reactions: Gandalf_The_Grey, harlan4096, silversurfer and 2 others
You must log in or register to reply here.

Similar threads

Gandalf_The_Grey
    • Like
    • Hundred Points
    • +Reputation
Malware News TrickMo malware steals Android PINs using fake lock screen
Replies
0
Views
1,267
Security News
Gandalf_The_Grey
Gandalf_The_Grey
enaph
    • +Reputation
    • Like
    • Wow
Scams & Phishing News Microsoft “Poisons” Phishing Data With Fake Creds to Catch Hackers
Replies
0
Views
1,365
Security News
enaph
enaph
Gandalf_The_Grey
    • Like
Security News Fake Google Meet conference errors push infostealing malware
Replies
2
Views
1,317
Security News
Andy Ful
Andy Ful

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top