Kaspersky's Duqu 2.0 malware infiltration aided by stolen Foxconn digital certificates
Digital certificate signed in February used in Kaspersky malware to sniff network traffic
The Duqu 2.0 malware used to infiltrate security software company Kaspersky Labs had been signed with digital certificates stolen from Chinese hardware giant Hon Hai, better known as Foxconn.
In a detailed account of the company's research into the malware, Kaspersky revealed that "the attackers created an unusual persistence module which they deploy on compromised networks. It serves a double function - it also supports a hidden C&C communication scheme. This organisation-level persistence is achieved by a driver that is installed as a normal system service. On 64-bit systems, this implies a strict requirement for an Authenticode digital signature. We have seen two such persistence drivers deployed in the course of attacks."
It continued: "During their operations the Duqu threat actors install these malicious drivers on firewalls, gateways or any other servers that have direct internet access on one side and corporate network access on other side. By using them, they can achieve several goals at a time: access internal infrastructure from the internet, avoid log records in corporate proxy servers and maintain a form of persistence after all.
"In essence, the drivers are redirecting network streams to and from the gateway machine that runs it. To forward connections, the attacker first has to pass a network-based 'knocking' mechanism by using a secret keyword. We have seen two different secret keywords in the samples we collected so far: 'romanian.antihacker' and 'ugly.gorilla'."
The compromised driver, signed with a certificate supposedly belonging to "Hon Hai Precision Industry Co. Ltd" - better known as Foxconn - responds to various keywords that it sniffs over the network in order for the attackers to provide instructions, while the malware mimicks HTTPS traffic.
"Perhaps the most important part of this attack strategy is the digital signature used for the 64-bit driver. Because this is a mandatory requirement on 64-bit Windows systems, the driver had a valid digital signature. It was signed by 'HON HAI PRECISION INDUSTRY CO. LTD.' ... According to the information from the driver it was signed at 20:31 on 19.02.2015."
It is not the first time that Kaspersky has picked up digitally signed malware - although it is the first known to have been used on an attack on a security software vendor.
"During our previous research into Stuxnet and Duqu we have observed digitally signed malware (using malicious Jmicron and Realtek certs)," concluded Kaspersky. "Stealing digital certificates and signing malware on behalf of legitimate businesses seems to be a regular trick from the Duqu attackers. We have no confirmation that any of these vendors have been compromised but our indicators definitely show that the Duqu attackers have a major interest in hardware manufacturers such as Foxconn, Realtek and Jmicron."
An earlier analysis had explained how the company believed that it had been initially infected as a result of a mundane but apparently successful spear-phishing attack.
"The initial attack against Kaspersky Lab began with the targeting of an employee in one of our smaller APAC offices. The original infection vector for Duqu 2.0 is currently unknown, although we suspect spear-phishing emails played an important role. This is because for one of the patients zero we identified had their mailbox and web browser history wiped to hide traces of the attack. Since the respective machines were fully patched, we believe a zero-day exploit was used."
You may also be interested in: