Threat Actors Use Abnormal Certificates to Deliver Info-stealing Malware

Malicious certificates can be highly dangerous as they can be used to deceive users into trusting malicious websites or software.

This can lead to various security threats, including:-

  • Data breaches
  • Malware infections
  • Phishing attacks
  • Compromise user privacy
  • Compromise system integrity

Cybersecurity researchers at ASEC (AhnLab Security Emergency Response Center) recently identified that threat actors are exploiting abnormal certificates to deliver info-stealing malware.

Document
FREE Demo

Deploy Advanced AI-Powered Email Security Solution

Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today‚Äôs most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware

Technical Analysis

Malicious code mimics certificates with randomly entered info, causing unusually long Subject and Issuer Names.

Certificate info remains hidden in Windows, which is only detectable with specific tools. So, the incorrect certificate and its information are useless for signature verification.

The signature uses non-English languages and special characters and shows little variation for over two months, suggesting a specific intention.

Signature information
Signature information (Source – ASEC)

The distributed sample is a URL-encoded malicious script that fails to download and execute Powershell commands, remaining inactive in the infection process.

Two distinct malware types with this distinctive appearance are distributed. And here below, we have mentioned them:

  • LummaC2: LummaC2 is the most adaptable malware in this distribution. Originally, it had self-contained malicious actions, but now it downloads configs from C2 and can install other malware like Amadey and Clipbanker.
  • RecordBreaker: RecoreBreaker, aka Raccoon Stealer V2, spreads through YouTube and other malware. It employs a unique User-Agent value like ‘GeekingToTheMoon’ when connecting to C2, but its functionality remains largely unchanged.

Both malware types excel in information theft, potentially exposing sensitive user data like browser accounts, documents, and cryptocurrency wallets, and may install more malicious code for ongoing damage.

Malware on easily found malicious pages via search engines (SEO poisoning) threatens many users, often linked to illegal software keywords.

Distribution page
Distribution page (Source – ASEC)

“The initial sample of LummaC2 sent info to ‘/c2sock,’ then modified versions downloaded config from ‘/c2conf’ and used ‘/api’ for both. 

All the major changes are tracked by the ‘ver’ parameter, and besides this, the current version is 4.0.

C2 communication in LummaC2
C2 communication in LummaC2 (Source – ASEC)

Amadey downloads and installs malware via C2, ClipBanker changes copied wallet addresses, and LummaC2 can host added malware for ongoing C2 communication or wallet manipulation.

Users are seriously threatened by information-stealing malware that is continually changing, which emphasizes the crucial relevance of exercising vigilance and the necessity of taking strong cybersecurity measures to protect personal data and digital assets.

IOCs

eae39f18a51c151601eaf430245d3cb4
3c39098b93eb02c664d09e0f94736d95
89644b879046b97dccf71c68c88bcf42
bb2147e536ba06511ca8ea0b43a38ef7
e584f749b3b06d328001f0dea7a45617
331c7d351bc39efb36fd53c74c12c3a5
d8518e4fcbdbcc056a72a495430f37b6
2667f726136c0c848b30ec93cbd488b7
a0caecafa32e88f363942945f759b799
5dfe53ca9cd218a0ed129ebecc107cf0
7ed43c0f2093707f65369ad87832599c
dabe6f3ac23858a353c53382f92a217b
fa371f301369b16a7a379008cc1b4f64
6b5ad8f456dc6704638d5b3e38135a2b
dbee35748bd993f3bd4a822d362f309d
331031e51a9816db6aa48a7dcff41c28
32b4703cc03286e610094704925ca5e4
e5f82461f276bfb9150ab253b3474aa1
e6facedba218387d24d6908a59f1730b
8329b54e5b8921825579c3eae37ee8b4
6260a3ea150744248ed0a155d079d2c8
a998f8d64d6953e1fdaafba655c84120
cbc06399af416c6b5a5aec73890a15a1
613425d8623f118e45fb65619f71c387
5d2359723a3acac158320a48f1930e08
05ab72ab29765fa803a9a88e940cc826
b484fdc3953f4d84e24ba8dd309accf2
7974df61d5906ca20e146c1b8b8b3aaa
0970196d074cbf7221f5be8208c7cba3
63a0789d8bfa599da31a7620947d7a24
d8b5732afb4897035043ea05ad84f928
a82d9b679c0df2a62939ee21939e7e7a
4cf108debe0314357431525f01376a56
de9cb5f942d9f73a1a5659172372b099
aa4fb8876b89288a015fbf945da98d87
b64c3663718228679df20e9282727110
0ece25acd98b2cd0beebd20d3fc11fd1

Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Take advantage of the free trial to ensure 100% security.

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.