Lethic Trojan is back, uses same stolen digital certificate as Stuxnet

Some two months ago, the world found out about the Stuxnet – the worm that used the Windows .lnk file vulnerability in order to spread through removable drives of systems running Siemens SCADA software.

One of the reason Stuxnet was able to propagate so fast and wide is because it was signed by a stolen digital certificates – one of which belongs to Realtek Semiconductor Corp., a hardware manufacturer from Taiwan.

Fast forward two months, and a Zscaler researcher detects another piece of malware signed with a digital signature belonging to Realtek: a variant of the Lethic Trojan. The only difference is that in the Stuxnet case, the software was seemingly verified by the certificate autority – as one can see in the following PE File Version Info data structure:

Stuxnet and Lethic are completely different, and I am in no way presuming that one or more authors behind either malware campaign intersect,” says the Zscaler researcher. “I did think it was interesting that this one company is being ‘picked’ in malware campaigns though.”

He doesn’t believe that the same malware author(s) are behind both pieces of malware. He thinks that it’s simply a matter of both of them choosing the same legitimate software package (the Realtek AC97 Audio product) information. “However, this does seem pretty coincidental,” he says. “Or perhaps it could be the “signature” of a common author or group behind these artifacts – perhaps they seek to tarnish the reputation of this Taiwanese company for personal or political motivation – who knows?”