Cybersecurity researchers from SentinelLabs have recently spotted a hacking campaign in which legitimate certificates used by a VPN service were abused to hide malware in plain sight.
The researchers pinned the campaign to Bronze Starlight, a Chinese state-sponsored APT, which was after companies in the gambling industry, located in the Southeast Asia region.
As per their report, the group was distributing two .NET executables – agentupdate_plugins.exe and AdventureQuest.exe, most likely through trojanized chat apps. The goal of the campaign, according to the researchers, is to deliver a Cobalt Strike beacon.
Hiding in plain sight
Cobalt Strike is a commercial penetration testing tool, used by both security professionals and cybercriminals. Legitimate use cases include testing the security of networks and systems.
The code-signing certificate for the .NET executables was the same one that’s used by the installer for Ivacy VPN, a popular virtual private network solution.
By using a legitimate certificate, the attackers can bypass cybersecurity solutions installed on the target endpoint, and also make sure that any inbound and outbound traffic generated by the malware remains hidden.
The researchers also discovered that the two .NET executables were designed not to work in certain countries, including the United States, Germany, France, Russia, India, Canada, or the UK, most likely to further evade detection. But the geofencing feature wasn’t implemented properly, they added.
“It is likely that at some point the PMG PTE LTD signing key has been stolen – a familiar technique of known Chinese threat actors to enable malware signing,” SentinelLabs said. “VPN providers are critical targets since they enable threat actors to potentially gain access to sensitive user data and communications.”
Ivacy VPN is currently silent on the matter, so it’s difficult to determine exactly how the hackers obtained the certificates. They have, since then, been invalidated for breaching “baseline requirements” set up by DigiCert.