Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

This VPN is being abused to spread malware

Petya nagscreen

Cybersecurity researchers from SentinelLabs have recently spotted a hacking campaign in which legitimate certificates used by a VPN service were abused to hide malware in plain sight.

The researchers pinned the campaign to Bronze Starlight, a Chinese state-sponsored APT, which was after companies in the gambling industry, located in the Southeast Asia region. 

As per their report, the group was distributing two .NET executables - agentupdate_plugins.exe and AdventureQuest.exe, most likely through trojanized chat apps. The goal of the campaign, according to the researchers, is to deliver a Cobalt Strike beacon. 

Hiding in plain sight

Cobalt Strike is a commercial penetration testing tool, used by both security professionals and cybercriminals. Legitimate use cases include testing the security of networks and systems. 

The code-signing certificate for the .NET executables was the same one that’s used by the installer for Ivacy VPN, a popular virtual private network solution.

By using a legitimate certificate, the attackers can bypass cybersecurity solutions installed on the target endpoint, and also make sure that any inbound and outbound traffic generated by the malware remains hidden. 

The researchers also discovered that the two .NET executables were designed not to work in certain countries, including the United States, Germany, France, Russia, India, Canada, or the UK, most likely to further evade detection. But the geofencing feature wasn’t implemented properly, they added.

"It is likely that at some point the PMG PTE LTD signing key has been stolen – a familiar technique of known Chinese threat actors to enable malware signing," SentinelLabs said. "VPN providers are critical targets since they enable threat actors to potentially gain access to sensitive user data and communications."

Ivacy VPN is currently silent on the matter, so it’s difficult to determine exactly how the hackers obtained the certificates. They have, since then, been invalidated for breaching “baseline requirements” set up by DigiCert.

Via: BleepingComputer

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.