Malware Signed With a Governmental Signing Key

Jack

Administrator
Thread author
Verified
Staff Member
Well-known
Jan 24, 2011
9,377
F-Secure said:
Certificates and CAs continue to be a hot topic (think Stuxnet, Duqu, Comodogate, Diginotar, et cetera).

Every now and then we run into malware that has been signed with a code signing certificate. This is problematic, as an unsigned Windows application will produce a warning to the end user if he downloads it from the web — signed applications won't do this. Also some security systems might trust signed code more than unsigned code.

In some of these cases, the certificate has been created by the criminals just for the purpose for signing malware. In other cases they steal code signing certificates (and their passphrases) so they can sign code as someone else.

We recently found a sample signed with a stolen certificate. The file properties looked like this:

Publisher: Adobe Systems Incorporated
Copyright: Copyright (C) 2010
Product: Adobe Systems Apps
File version: 8, 0, 12, 78
Comments: Product of Adobe Systems

And the signing info was:

Signer: anjungnet.mardi.gov.my
Digisign Server ID (Enrich)
GTE CyberTrust Global Root
Signing date: 5:36 24/08/2011

Turns out mardi.gov.my is part of the Government of Malaysia: Malaysian Agricultural Research and Development Institute. According the information we received from the Malaysian authorities, this certificate has been stolen "quite some time ago".

mardi-cert_malaysian.PNG


The malware itself has been spread via malicious PDF files that drop it after exploiting Adobe Reader 8. The malware downloads additional malicious components from a server called worldnewsmagazines.org. Some of those components are also signed, although this time by an entity called www.esupplychain.com.tw.

It's not that common to find a signed copy of malware. It's even rarer that it's signed with an official key belonging to a government.

This particular malware does not gain much advantage of the signature any more, as the mardi.gov.my certificate expired in the end of September.

The Malaysian Government has been informed about the case.

via F-Secure Labs
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top