Chinese Hackers Using Stolen Ivacy VPN Certificate To Sign Malware

Chinese Hackers Using Stolen Ivacy VPN Certificate To Sign Malware

The Bronze Starlight hacking group has ingeniously employed a legitimate Ivacy VPN code-signing certificate to focus on the Southeast Asian gambling sector.

Employing a legitimate certificate offers a significant advantage as it circumvents security protocols, evades triggering system alarms, and blends seamlessly with authentic software and network activity.

According to SentinelLabs, the research firm that dissected the operation, the certificate is attributed to PMG PTE LTD, a Singaporean company that serves as the provider for the ‘Ivacy VPN’ product.

Using this technique, hackers can ensure that malware bypasses all security measures without raising suspicion and invades target devices. It can also easily blend into legitimate software traffic.

Bronze Starlight 

Bronze Starlight, also recognized as DEV-0401 and SLIME34, constitutes a Chinese ransomware collective characterized by its inclination towards espionage and politically driven initiatives, rather than mere financial pursuits. The group’s chief arsenal encompasses a variety of ransomware strains, such as LockFile, LockBit 2.0, NightSky, AtomSilo, Pandora, as previously documented by SecureWorks and Microsoft.

The assault begins by sending .NET executables like AdventuresQuest.exe via compromised chat apps to the target device. MalwareHunterTeam’s expert initially spotted this file and later shared it on X.

According to MalwareHunterTeam, the certificate employed in the attack resembled the one used in legitimate Ivacy VPN installations.

The executables then retrieve password-protected ZIP archives from Alibaba storage repositories through fake or infected versions of popular programs vulnerable to DLL hijacking, such as Microsoft Edge, Adobe Creative Cloud, and McAfee VirusScan.

Additional SentinelLabs research unveiled that the executables included geo-restrictions, barring malware execution in specific Western nations like the USA, France, Germany, Russia, India, Canada, and the UK. This might indicate hackers’ disinterest or a calculated move to boost the campaign’s effectiveness.

Misuse of a valid certificate

Certainly, the identical certificate is employed to sign the legitimate Ivacy VPN installer accessible through the VPN provider’s site.

The potential scope of data accessed by threat actors through the stolen certificate raises concerns among security experts.

PMG PTE LTD has not issued any public response following this revelation, leaving the methods of certificate acquisition by the hackers uncertain.

Meanwhile, in June 2023, DigiCert took action to revoke and invalidate the certificate due to its infringement of the “Baseline Requirements” criteria.

‍Follow Us on: Twitter, InstagramFacebook to get the latest security news!

About the Author:

FirstHackersNews- Identifies Security

Leave A Comment

Subscribe to our newsletter to receive security tips everday!