December 6, 2016

Stolen Certificate Used to Sign Malware

(LiveHacking.Com) –  A certificate stolen from the Malaysian Agricultural Research and Development Institute, which was taken “quite some time ago”, has turned up as the digital signature used on a piece of malware known as Trojan-Downloader:W32/Agent.DTIW.

The malware, which spreads via malicious PDF files that install it after exploiting holes in Adobe Reader 8, downloads additional malicious components from a server called worldnewsmagazines.org.

By using a private signing certificate that belongs to the Malaysian government the malware is able to bypass the warnings issued by Windows about untrusted software.

According to F-Secure, who discovered the malware signed with the a stolen certificate:

It’s not that common to find a signed copy of malware. It’s even rarer that it’s signed with an official key belonging to a government.

The use of digital certificates and the role of Certificate Authorities (CA) continues to be a hot topic following several well publicized security breaches (Diginotar and Comodo) and the subsequent revoking of fraudulently issued certificates.