Trojan masquerading as PDF signed with stolen government certificate

Since the discovery of the Stuxnet worm, and especially after the recent string of certification authority compromises, cyber attackers’ practice of using digital certificates to sign malware and impersonate popular websites has become known to everybody in the security community.

Whether these certificates are stolen or issued fraudulently, the result is the same: the system is fooled into thinking that thusly signed applications and phishing websites are legitimate and harmless.

Seeing that security professionals around the world are slowly losing faith in the digital identity certificate system, news that another piece of malware signed with a stolen code signing certificate has been discovered by F-Secure researchers doesn’t come as a great shock.

This particular malware is a downloader Trojan packaged into a PDF file signed with a certificate belonging to mardi.gov.my – the Agricultural Research and Development Institute of the Government of Malaysia.

According to the researchers, Malaysian authorities confirmed the origin of the certificate and said that it was stolen “quite some time ago”. The certificate is now expired (it was valid up to September 29, 2011), and F-Secure does not indicate how old the malware in question is.

“The malware itself has been spread via malicious PDF files that drop it after exploiting Adobe Reader 8,” the researchers shared. “The malware downloads additional malicious components from a server called worldnewsmagazines.org. Some of those components are also signed, although this time by an entity called www.esupplychain.com.tw.”

They haven’t said whether those signatures are still valid.

Share this
You are reading

Trojan masquerading as PDF signed with stolen government certificate