Malware Hides in Artificial Security Certifications
Malware operates best when it fools the user. Disguised as an essential security update, the malware wreaks havoc after installation. Typically, security updates are certified through the proper channels like Certificate Authorities which distribute SSL/TLS certificates. To bypass that, malicious third parties are employing a new spear-phishing method to increase the success rate of their payload.
The malware operates by first compromising a targeted website. Afterward, the website shows a false security alert, claiming the website’s security certificate is out of date. The difference? The security warning claims a security update must be installed. Security certificates are handled by the domain so this is faulty. It’s not the responsibility of the user browsing the web domain.
How does it work?
It cloaks itself with a sneaky method by maintaining the URL of the website, aiding its “legitimacy.” Loaded from a third party server via jquery script, the content is kept in an iframe environment as an overly, hiding the actual website page content.
Unsurprisingly, a link is provided and offered to download a file to “fix” the issue. This file is the executable Certificate_Update_v02.2020.exe. As a result, the payload runs if the malware is installed. According to current outbreaks, the variant is either Mokes or Buerak. The variants depend on the targeted operating system.
Buerak is the Windows variant. Thus, when installed on a target system it can steal information and data, target analyzing/sandboxing techniques, modify registry keys, and interfere with running processes.
Mokes affects Mac OS systems. Mokes follow familiar patterns by stealing data and information with the added ability to take screenshots. It disguises its activity by using the AES-256 encryption tool.
CA is planning to revoke approximately 3 million certificates due to a dangerous bug. In the meantime, be vigilant of artificial security certificates when prompted for them.
If you’d like more information or assistance, contact Bytagig to learn how we can support you.