Cybersecurity researchers from SentinelLabs have recently spotted a hacking campaign in which legitimate certificates used by a VPN service were abused to hide malware in plain sight.
The researchers pinned the campaign to Bronze Starlight, a Chinese state-sponsored APT, which was after companies in the gambling industry, located in the Southeast Asia region.
As per their report, the group was distributing two .NET executables - agentupdate_plugins.exe and AdventureQuest.exe, most likely through trojanized chat apps. The goal of the campaign, according to the researchers, is to deliver a Cobalt Strike beacon.
Reader Offer: $50 Amazon gift card with demo
Save 250+ yearly hours on manual configuration. Deploy your entire organization within a single day. Learn why Perimeter 81 is TechRadar's choice for the best Business VPN. Ditch legacy hardware and make the move to the cloud. See how simple it is for yourself.
Preferred partner (What does this mean?)
Hiding in plain sight
Cobalt Strike is a commercial penetration testing tool, used by both security professionals and cybercriminals. Legitimate use cases include testing the security of networks and systems.
The code-signing certificate for the .NET executables was the same one that’s used by the installer for Ivacy VPN, a popular virtual private network solution.
By using a legitimate certificate, the attackers can bypass cybersecurity solutions installed on the target endpoint, and also make sure that any inbound and outbound traffic generated by the malware remains hidden.
The researchers also discovered that the two .NET executables were designed not to work in certain countries, including the United States, Germany, France, Russia, India, Canada, or the UK, most likely to further evade detection. But the geofencing feature wasn’t implemented properly, they added.
"It is likely that at some point the PMG PTE LTD signing key has been stolen – a familiar technique of known Chinese threat actors to enable malware signing," SentinelLabs said. "VPN providers are critical targets since they enable threat actors to potentially gain access to sensitive user data and communications."
Ivacy VPN is currently silent on the matter, so it’s difficult to determine exactly how the hackers obtained the certificates. They have, since then, been invalidated for breaching “baseline requirements” set up by DigiCert.
- Check out the best endpoint protection tools around
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.