Kaspersky reported Backdoor malware spreads through incorrect security certificates

When users try to access an infected site, an iframe is displayed indicating that the site’s security certificate is out of date and that the connection cannot be established. To continue, it is recommended to install a new certificate. However, what is actually installed is malware on the victim’s computer.

So far, two types of Trojans have been downloaded due to this type of attack: Mokes and Buerak. The former provides backdoor access to the victim’s device, while the latter downloads additional malware to the infected device. Backdoor malware and Trojan variants are spreading thanks to a new phishing technique that tries to trick victims into accepting an “update” of the website’s security certificates.

Back doors are a very dangerous type of malware. Its functionality allows threat actors to take control of infected computers for malicious purposes. At the same time, the user does not even suspect that their computer is in use.

Certification Authorities (CAs) distribute SSL / TLS security certificates to enhance online security by providing encryption of communication channels between a browser and a server, especially important for domains that provide e-commerce services, and identity verification , which must be passed with confidence in one area.

Although there have been cases of certificate abuse, fraud, and even cybercriminals posing as security certificate executives to disconnect fraudulent domains or malware loads, a new approach to phishing is now abusing the certificate approval mechanism.

Cyber ​​criminals have used legitimate application updates to spread malware in the past. However, the use of fake security certificates is new and was first identified by Kaspersky researchers this year. https://ameinfo.gumlet.com/5c3c7324-db7c-4c40-bd02-7a5ebd61780e.jpg “People are particularly vulnerable to this type of attack because they appear on legitimate websites they may have visited before. Also, the address they shown in the iframe is actually the actual website address The natural instinct is to “install” the recommended certificate so that they can display the desired content.

Visitors to an area threatened by the campaign are displayed on the following screen:

The warning indicates that the website’s security certificate is out of date. However, instead of being the domain owner’s problem, victims are asked to install a “security certificate update” to continue.

The message is contained in an iframe and the content is loaded via a jquery.js script from a third-party C2 server (command and control), while the URL bar always contains the address of the legitimate domain, which is The increase of the legitimacy of the towers.

“The jquery.js script covers an iframe that is exactly the same size as the page,” say the researchers. “As a result, the user sees an apparently real banner instead of the original page, prompting them to install a certificate update.”

When the victim clicks the “Update” button, the file “Certificate_Update_v02.2020.exe” starts downloading.

After unpacking and installing, the executable file provides the victim with one of two malware variants, Mokes or Buerak.

CA Let’s Encrypt announced plans to revoke more than three million certificates due to a bug in the main code that caused verification systems to ignore certain CAA field verifications. The programming error has been corrected. Owners of affected domains must request new certificates.

However, users should always be careful when asked to download something from an online source; probably not necessary, “said Victoria Vlasova, security expert at Kaspersky.
kaspersky antivirus key products successfully detect and block the threat.

To avoid downloading potentially harmful malware onto your device, Kaspersky experts recommend:

Check the URL format and spelling of the company name
Enter the website address manually in your browser instead of using a link.

Comments are closed