Malicious certificates can be highly dangerous as they can be used to deceive users into trusting malicious websites or software.
This can lead to various security threats, including:-
-
Data breaches
-
Malware infections
-
Phishing attacks
-
Compromise user privacy
-
Compromise system integrity
Cybersecurity researchers at ASEC (AhnLab Security Emergency Response Center) recently identified that threat actors are exploiting abnormal certificates to deliver info-stealing malware.
Document
FREE Demo
Deploy Advanced AI-Powered Email Security Solution
Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware
Technical Analysis
Malicious code mimics certificates with randomly entered info, causing unusually long Subject and Issuer Names.
Certificate info remains hidden in Windows, which is only detectable with specific tools. So, the incorrect certificate and its information are useless for signature verification.
The signature uses non-English languages and special characters and shows little variation for over two months, suggesting a specific intention.
Signature information (Source – ASEC)
The distributed sample is a URL-encoded malicious script that fails to download and execute Powershell commands, remaining inactive in the infection process.
Two distinct malware types with this distinctive appearance are distributed. And here below, we have mentioned them:
-
LummaC2: LummaC2 is the most adaptable malware in this distribution. Originally, it had self-contained malicious actions, but now it downloads configs from C2 and can install other malware like Amadey and Clipbanker.
-
RecordBreaker: RecoreBreaker, aka Raccoon Stealer V2, spreads through YouTube and other malware. It employs a unique User-Agent value like ‘GeekingToTheMoon’ when connecting to C2, but its functionality remains largely unchanged.
Both malware types excel in information theft, potentially exposing sensitive user data like browser accounts, documents, and cryptocurrency wallets, and may install more malicious code for ongoing damage.
Malware on easily found malicious pages via search engines (SEO poisoning) threatens many users, often linked to illegal software keywords.
Distribution page (Source – ASEC)
“The initial sample of LummaC2 sent info to ‘/c2sock,’ then modified versions downloaded config from ‘/c2conf’ and used ‘/api’ for both.
All the major changes are tracked by the ‘ver’ parameter, and besides this, the current version is 4.0.
C2 communication in LummaC2 (Source – ASEC)
Amadey downloads and installs malware via C2, ClipBanker changes copied wallet addresses, and LummaC2 can host added malware for ongoing C2 communication or wallet manipulation.
Users are seriously threatened by information-stealing malware that is continually changing, which emphasizes the crucial relevance of exercising vigilance and the necessity of taking strong cybersecurity measures to protect personal data and digital assets.
IOCs
eae39f18a51c151601eaf430245d3cb43c39098b93eb02c664d09e0f94736d9589644b879046b97dccf71c68c88bcf42bb2147e536ba06511ca8ea0b43a38ef7e584f749b3b06d328001f0dea7a45617331c7d351bc39efb36fd53c74c12c3a5d8518e4fcbdbcc056a72a495430f37b62667f726136c0c848b30ec93cbd488b7a0caecafa32e88f363942945f759b7995dfe53ca9cd218a0ed129ebecc107cf07ed43c0f2093707f65369ad87832599cdabe6f3ac23858a353c53382f92a217bfa371f301369b16a7a379008cc1b4f646b5ad8f456dc6704638d5b3e38135a2bdbee35748bd993f3bd4a822d362f309d331031e51a9816db6aa48a7dcff41c2832b4703cc03286e610094704925ca5e4e5f82461f276bfb9150ab253b3474aa1e6facedba218387d24d6908a59f1730b8329b54e5b8921825579c3eae37ee8b46260a3ea150744248ed0a155d079d2c8a998f8d64d6953e1fdaafba655c84120cbc06399af416c6b5a5aec73890a15a1613425d8623f118e45fb65619f71c3875d2359723a3acac158320a48f1930e0805ab72ab29765fa803a9a88e940cc826b484fdc3953f4d84e24ba8dd309accf27974df61d5906ca20e146c1b8b8b3aaa0970196d074cbf7221f5be8208c7cba363a0789d8bfa599da31a7620947d7a24d8b5732afb4897035043ea05ad84f928a82d9b679c0df2a62939ee21939e7e7a4cf108debe0314357431525f01376a56de9cb5f942d9f73a1a5659172372b099aa4fb8876b89288a015fbf945da98d87b64c3663718228679df20e92827271100ece25acd98b2cd0beebd20d3fc11fd1
