Contributor: Jeet Morparia
Symantec has recently observed various malware families seen in the wild signed with multiple digital certificates. As seen with Suckfly, valid, legitimate certificates can be stolen from an organization, often without their knowledge, and then used to sign malware to evade detection. In this case, attackers have used multiple digital certificates together to increase the chance that the targeted computer considers their malware safe. The attacker's ultimate goal is that their attack goes completely undetected.
Historically, attacks have focused on the SHA1 algorithm. This prompted businesses and IT departments at various organizations to distrust SHA1 certificates and gradually move to SHA2. Microsoft’s discontinuation of support for files signed with SHA1, may indicate a paradigm shift in the digital certificate space.
Earlier last year, Microsoft announced the discontinuation of support for files digitally signed with a SHA1 signature after January 1, 2016 in certain scenarios. According to the new enforcement details, code-signing certificates signed after January 1, 2016 will not be honored by Microsoft Windows (version dependent). These new restrictions have started to force attackers to move away from SHA1 and to figure out new ways to use SHA2 digitally signed certificates.
While this change may have slowed down attackers, malware authors have been looking for ways to adapt to this new policy.
Earlier this week, we came across a spam campaign using a malicious Word document that downloads a payload to compromise the computer. In this case, the payload is Trojan.Carberp.B, a well-known financial Trojan that targets financial institutions and their customers. Our current telemetry reports that the attacks are contained to the following countries:
- The United States
Deconstructing the attack
The attack to deliver Carberp.B begins when an unsuspecting user receives the malicious email with the subject, "ATTN 00890". The email and the attachment use specific language to target people who work in accounting departments (Figure 1).
Figure 1. Email sent by attackers to deliver Trojan.Carberp.B
The malicious attachment, “Reverse debit posted in Error 040316.doc”, contains a malicious macro that uses a ROT13 +13/-13 cipher. This redirects the compromised computer to download a malicious signed binary from [http://]154.16.138.[REMOVED] which is hosted in Mauritius. The downloaded file, sexit.exe, is then installed onto the compromised computer without the victim's knowledge. Once this file has been installed, the victim's computer has been infected with Trojan.Carberp.B.
Signed twice to evade detection
Cursory analysis of sexit.exe revealed that it uses two stolen digital certificates to evade detection. One certificate uses SHA1 while the other certificate uses SHA2 (Figure 2). It can be safely surmised that the malware author used certificates containing differing algorithms with the hope of thwarting detection.
Figure 2. Malware signed with two digital certificates, one using SHA1 and the other using SHA2
Malware authors have realized the advantages in signing their malware with not just one, but two digital certificates. One benefit is that multiple digital signatures make files seem more legitimate. A second, and perhaps more crucial benefit, is that files signed with multiple digital certificates maintain their signed state even after one of the signatures has been revoked.
To take advantage of this, attackers can use a SHA1 signature as the primary signature and then use a SHA2 signature as a secondary signature. SHA1 digital signatures are compatible with operating systems prior to Windows XP SP3 while SHA2 certificates are not compatible on earlier operating systems. With two different certificates, the malware is able to get around a potential problem that would have stopped it if it had just been signed with a SHA2 certificate. The SHA2 certificate can also provide backup if the primary SHA1 certificate is revoked by the signing authority.
Malware authors can benefit by stealing and signing their threats with multiple digital certificates. As we demonstrated with Suckfly, one digital certificate can help make things easier for attackers. With two digital certificates, attackers stand an even better chance of accomplishing their goals. The attacks with Carberp also point to a shift towards using digital certificates with SHA2. While the move from SHA1 to SHA2 may not be instant because legacy systems do not support the newer algorithm, these attacks do indicate that change is on the way.
Symantec advises that users be extra vigilant against such threats and check all certificates attached to a file. Also, Symantec recommends that users be cautious when dealing with suspicious emails and to avoid clicking on suspicious links or opening attachments in unsolicited emails.
Symantec Email Security.cloud, Symantec Messaging Gateway, and Symantec Mail Security for Microsoft Exchange can provide additional layers of security against this type of threat.
Symantec and Norton products have the following detections in place to protect against this threat:
In relation to stolen certificates, Symantec advises organizations to maintain strong cybersecurity practices and store their certificates and corresponding keys in a secure environment. Using encryption, and services such as Symantec’s Extended Validation (EV) Code Signing, and Symantec’s Secure App Service can provide additional layers of security.