Malware operates best when it fools the user. Making its rounds is a type of malware disguising itself as an essential security update, but when installed, is actually a trojan virus. Typically, security updates must be certified through the proper channels like Certificate Authorities which distribute SSL/TLS certificates. Now, malicious third parties are employing a new spear-phishing method to increase the success rate of their payload.
The malware operates by first compromising a targeted website. Afterward, the website shows a false security alert, claiming the website’s security certificate is out of date. The difference? The security warning claims a security update must be installed. This is faulty, as security certificates are handled by the domain, not the responsibility of the user browsing the web domain.
It cloaks itself with a sneaky method by maintaining the URL of the website, aiding its “legitimacy.” Loaded from a third party server via jquery script, the content is kept in an iframe environment as an overly, hiding the actual website page content.
Unsurprisingly, a link is provided and offered to download a file to “fix” the issue. This file is the executable Certificate_Update_v02.2020.exe. If the executable is downloaded and installed, it delivers the malware payload. According to current outbreaks, the variant is either Mokes or Buerak. The variants depend on the targeted operating system.
Buerak is the Windows variant. When installed on a target system it can steal information and data, target analyzing/sandboxing techniques, modify registry keys, and interfere with running processes.
Mokes affects Mac OS systems. Mokes follow familiar patterns by stealing data and information with the added ability to take screenshots. It disguises its activity by using the AES-256 encryption tool.
CA is planning to revoke approximately 3 million certificates due to a dangerous bug. In the meantime, be vigilant of artificial security certificates when prompted for them.
If you’d like more information or assistance, contact Bytagig to learn how we can support you.