{ "Event": { "analysis": "2", "date": "2016-03-24", "extends_uuid": "", "info": "OSINT - Malware is being signed with multiple digital certificates to evade detection", "publish_timestamp": "1458838164", "published": true, "threat_level_id": "2", "timestamp": "1458838177", "uuid": "56f419c3-e67c-45fc-b3a6-40d5950d210f", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#ffffff", "name": "tlp:white" }, { "colour": "#004646", "name": "type:OSINT" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1458838011", "to_ids": false, "type": "link", "uuid": "56f419fb-886c-4e3f-bfcc-4d88950d210f", "value": "http://www.symantec.com/connect/blogs/malware-being-signed-multiple-digital-certificates-evade-detection" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1458838036", "to_ids": false, "type": "comment", "uuid": "56f41a14-78c0-4c47-b903-4b78950d210f", "value": "Symantec has recently observed various malware families seen in the wild signed with multiple digital certificates. As seen with Suckfly, valid, legitimate certificates can be stolen from an organization, often without their knowledge, and then used to sign malware to evade detection. In this case, attackers have used multiple digital certificates together to increase the chance that the targeted computer considers their malware safe. The attacker's ultimate goal is that their attack goes completely undetected.\r\n\r\nHistorically, attacks have focused on the SHA1 algorithm. This prompted businesses and IT departments at various organizations to distrust SHA1 certificates and gradually move to SHA2. Microsoft\u00e2\u20ac\u2122s discontinuation of support for files signed with SHA1, may indicate a paradigm shift in the digital certificate space.\r\n\r\nEarlier last year, Microsoft announced the discontinuation of support for files digitally signed with a SHA1 signature after January 1, 2016 in certain scenarios. According to the new enforcement details, code signing certificates signed after January 1, 2016 will not be honored by Microsoft Windows (version dependent). These new restrictions have started to force attackers to move away from SHA1 and to figure out new ways to use SHA2 digitally signed certificates.\r\n\r\nWhile this change may have slowed down attackers, malware authors have been looking for ways to adapt to this new policy.\r\n\r\nEarlier this week we came across a spam campaign using a malicious Word document that downloads a payload to compromise the computer. In this case, the payload is Trojan.Carberp.B, a well-known financial Trojan that targets financial institutions and their customers. Our current telemetry reports that the attacks are contained to the following countries:" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1458838063", "to_ids": true, "type": "sha256", "uuid": "56f41a2f-d8bc-40a5-abe2-448a950d210f", "value": "9758aa737004fc3fc6bc7d535e604324b6e42c7c19459f575083a411a4774b18" }, { "category": "Network activity", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1458838104", "to_ids": true, "type": "url", "uuid": "56f41a58-31a4-42b8-9407-4d8f950d210f", "value": "154.16.138.74/sexit.exe" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1458838115", "to_ids": true, "type": "ip-dst", "uuid": "56f41a63-ff4c-4fba-a9b7-4160950d210f", "value": "154.16.138.74" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1458838143", "to_ids": false, "type": "link", "uuid": "56f41a7f-6e54-4ef5-92ee-fc04950d210f", "value": "https://malwr.com/analysis/NmFmNzhhYjYyODIwNGUxMzliMGRlMWM5NjYwNzUxNzk/" }, { "category": "Payload delivery", "comment": "- Xchecked via VT: 9758aa737004fc3fc6bc7d535e604324b6e42c7c19459f575083a411a4774b18", "deleted": false, "disable_correlation": false, "timestamp": "1458838177", "to_ids": true, "type": "sha1", "uuid": "56f41aa1-e91c-4c04-8da7-409102de0b81", "value": "9155973df9080ce996ae372e20d56795b58e2eeb" }, { "category": "Payload delivery", "comment": "- Xchecked via VT: 9758aa737004fc3fc6bc7d535e604324b6e42c7c19459f575083a411a4774b18", "deleted": false, "disable_correlation": false, "timestamp": "1458838177", "to_ids": true, "type": "md5", "uuid": "56f41aa1-686c-4afa-b06a-4b4502de0b81", "value": "a06bf47c5147ad1b336633112a4a42a8" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1458838178", "to_ids": false, "type": "link", "uuid": "56f41aa2-3ca4-422b-8b7a-4b3502de0b81", "value": "https://www.virustotal.com/file/9758aa737004fc3fc6bc7d535e604324b6e42c7c19459f575083a411a4774b18/analysis/1458837563/" } ] } }