Chinese malware campaign aided by compromised digital certificate

San Diego, California - Let’s talk about what can happen with a compromised digital certificate. Since March, Kaspersky Labs has been tracking a series of infections from a previously unknown Trojan that was being injected into LSASS.exe. The injection was done by a network filtering driver that was signed with a legitimate digital certificate belonging to the Chinese company ShenZhen LeagSoft Technology Co.

Kaspersky assesses, with a high level of confidence, that this campaign is being carried out by the Chinese hacker collective Lucky Mouse.

There’s a lot to untangle here, but this entire story serves as a fascinating reminder about private key security and what can happen with a compromised digital certificate. It’s also got a bit of a geopolitical slant and another group of curiously named hackers.

Let’s hash it out.

Using a Compromised Digital Certificate to Sign Malware

The lynchpin of this entire operation was a network filtering driver, NDISProxy. The driver itself seems to be derived from publicly available C source code including the Blackbone repository and an http-parseravailable on GitHub. The driver was then signed using a digital certificate, sometimes called a code signing certificate, issued by VeriSign to a Chinese company called LeagSoft, which rather ironically creates infosec software.

It’s unclear how the hackers came into possession of the digital certificate, but what’s really meant by that is that they were able to compromise the private key. The idea behind Code Signing is that by applying a digital signature, the client can tell who created the software. If a legitimate company has its private key compromised, an attacker could use it to sign malware, which would then be trusted because it appears to come from a legitimate company.

You can see why that would be an issue.

And this is going to be an issue for LeagSoft, because while the compromised digital certificate expired in July, it was used to sign a lot of legitimate products, too.

Subject ShenZhen LeagSoft Technology Co.,Ltd.
Serial number 78 62 07 2d dc 75 9e 5f 6a 61 4b e9 b9 3b d5 21
Issuer VeriSign Class 3 Code Signing 2010 CA
Valid to 2018-07-19

Now LeagSoft is probably may need to wage some sort of customer confidence campaign. Case in point is the final sentence of Kaspersky’s threat report:

Please don’t consider all signed files as malicious.

That’s what the browser industry calls “user-hostile.” It asks the user to make a judgment call. Now, hopefully in LeagSoft’s case, this incident will fly under the radar and most people will have no reason to question its software’s legitimacy. But you can see the potential for this to hurt a business. And with internet filters like Microsoft SmartScreen that assign trust scores, there may be a penalty incurred.

Really, all of this boils down to private key security. This is what happens when your private key is compromised.

What did the signed driver do?

Without getting too granular, the driver injects a trojan into LSASS.exe, which is a process in Microsoft’s OS called Local Security Authority SubSystem Service. LSASS.exe handles user permissions for the system, doling out access tokens and dealing with user logins and passwords.

Basically, the driver does two things, first it decrypts the Remote Access Trojan (RAT) that is injected into the system, second it sets up lines of communication between the command server and the RAT. I’m giving you an extremely abridged version, the driver actually writes quite a few files, concatenates them and ensures that the control server has everything it needs in place to assume control over the system.

The malware can also propagate using the network login and user information contained in LSASS.exe. This allows it to reach systems that only have a LAN IP. NDISProxy uses an Earthworm SOCKS tunneler to connect them to the Command server.

Using this tool, attackers can make lateral movements and create SOCKS tunnels. The Trojan itself serves as an HTTPS-enabled Server, so that the Command server can communicate via the SOCKS tunnel with systems that don’t have an external IP address.

If none of that made sense to you, basically the Chinese hacker collective Lucky Mouse was using a digitally signed driver to infect computer systems with a Remote Access Trojan that allowed a command server to take over targeted computer systems and even networks.

Who is Lucky Mouse and what is it doing?

I’m not sure what the naming conventions are when it comes to hacker groups, but much like Russia’s Fancy Bear, Lucky Mouse has a colorful name that belies its conduct online. Per Kaspersky, the campaign that was aided in part by the compromised digital certificate targeted middle Asian government entities, specifically it was targeting one high-level meeting in particular.

This assumption is based on:

  • The use of the Earthworm tunneler, which is popular with Chinese hackers
  • One of the commands creates a tunnel to a previously identified Lucky Mouse control server
  • The choice of victims lines up with previous efforts by Lucky Mouse

Particularly, Lucky Mouse seems to have a keen interest in Central Asia and the political agenda of the Shanghai Cooperation Organization, which is a Eurasian alliance between China, Russia and several former Soviet states.

In June, Kaspersky reported a Lucky Mouse operation that injected scripts in the government website for an unnamed Central Asian country’s National Data Center

The cyber hackers, called Lucky Mouse, are said to have been a group trying to get user information. This group is also called by names such as Iron Tiger, Threat Group-3390, EmissaryPanda, and APT27. The cyber attacks started in 2017, Kaspersky says, adding that malicious scripts were infected into the official website to conduct the country-level waterholing campaign.

Personally, I’m partial to Emissary Panda, because I like the mental image it conjures. The more consequential name is APT 27. APT stands for Advanced Persistent Threat, which is incredibly apt. (I’m legitimately sorry for that pun.)

How do you know if you’ve been compromised?

Kaspersky provided the following hash values, IP addresses and file names so that you can make sure you’re not infected. Again, if you’re not in Asia, you probably don’t have anything to worry about, but we do have a number of customers that are in Asia, so we’ll provide these anyway.

Droppers-installers

9dc209f66da77858e362e624d0be86b3

dacedff98035f80711c61bc47e83b61d

Drivers

8e6d87eadb27b74852bd5a19062e52ed

d21de00f981bb6b5094f9c3dfa0be533

a2eb59414823ae00d53ca05272168006

493167e85e45363d09495d0841c30648

ad07b44578fa47e7de0df42a8b7f8d2d

Auxiliary Earthworm SOCKS tunneler and Scanline network scanner

83c5ff660f2900677e537f9500579965

3a97d9b6f17754dcd38ca7fc89caab04

Domains and IPs

103.75.190[.]28

213.109.87[.]58

Semaphores

Global\Door-ndisproxy-mn

Global\Door-ndisproxy-help

Global\Door-ndisproxy-notify

Services

ndisproxy-mn

ndisproxy-help

ndisproxy-notify

Registry keys and values

HKLM\SOFTWARE\Classes\32ndisproxy-mn

HKLM\SOFTWARE\Classes\64ndisproxy-mn

HKCR\ndisproxy-mn\filterpd-ndisproxy-mn

HKLM\SOFTWARE\Classes\32ndisproxy-help

HKLM\SOFTWARE\Classes\64ndisproxy-help

HKCR\ndisproxy-mn\filterpd-ndisproxy-help

HKLM\SOFTWARE\Classes\32ndisproxy-notify

HKLM\SOFTWARE\Classes\64ndisproxy-notify

HKCR\ndisproxy-mn\filterpd-ndisproxy-notify