Hackers Use VPN Provider’s Certificate to Sign Malware
Cybersecurity experts report that the Chinese hacker group Bronze Starlight is targeting the gambling industry in Southeast Asian countries using malware signed with a valid certificate from the VPN provider Ivacy. By using a legitimate certificate, the hackers can bypass security measures, avoid suspicion and system warnings, and blend in with legitimate software and its traffic.
Bronze Starlight’s cyberattacks began as early as March 2023 and are likely a continuation of the ChattyGoblin hacking operation, which was discovered by ESET at the end of 2022. According to analysts at SentinelLabs, the group’s attacks start by delivering .NET executable files (agentupdate_plugins.exe and AdventureQuest.exe) to the target system. This likely happens through trojanized chat applications that extract password-protected ZIP archives from Alibaba buckets.
Contents of the Archives
The AdventureQuest.exe malware sample was first spotted by security researcher MalwareHunterteam in May of this year, who noticed that the code-signing certificate used for the malware was the same as that used by official Ivacy VPN installers.
The aforementioned archives contain intentionally vulnerable versions of software, including Adobe Creative Cloud, Microsoft Edge, and McAfee VirusScan, which are susceptible to DLL hijacking attacks. The Bronze Starlight group uses these vulnerable applications to deploy Cobalt Strike beacons on targeted systems.
Malicious DLL libraries (libcef.dll, msedge_elf.dll, and LockDown.dll) are packed in the archives alongside legitimate programs. Windows prioritizes executing these DLLs over the more secure versions stored in C:\Windows\System32, allowing attackers to run malicious code.
SentinelLabs notes that the .NET files have restrictions intended to prevent the malware from running in the USA, Germany, France, Russia, India, Canada, or the UK. However, due to a coding error, these restrictions do not work as intended.
The Stolen Certificate
The most notable aspect of this campaign is the use of a certificate belonging to PMG PTE LTD, the company behind Ivacy VPN. This same certificate is used to sign the official Ivacy VPN installer, which is linked on the VPN provider’s official website.
“It is likely that at some point the PMG PTE LTD signing key was stolen, which is a known method used by Chinese threat actors to sign malware,” experts note. “VPN providers are attractive targets for hackers because they offer guaranteed access to confidential user data and communications.”
If the certificate was stolen, researchers are concerned about what else the attackers might have accessed within the VPN provider’s network. Representatives of PMG PTE LTD have not responded to the experts’ statements, so it remains unclear how the hackers obtained access to the certificate.
Meanwhile, back in early June 2023, DigiCert revoked and invalidated the certificate due to a violation of the “Baseline Requirements.”