BlackTech APT Uses Stolen Certificates to Sign Plead Malware

Delaware, USA – July 10, 2018 – The BlackTech APT group conducts cyber-espionage campaigns against East Asian countries; especially they are interested in companies and state institutions in Taiwan. Researchers from ESET uncovered an active campaign distributing Plead backdoor signed with legitimate code-signing certificates. Plead is a backdoor that allows adversaries to download and run other malware components, as well as steal credentials and documents. Adversaries have been using this backdoor at least since 2012. In the current campaign, BlackTech APT group uses previously stolen certificates from Taiwanese companies: D-LINK and Changing Information Technologies. Changing Information Technologies certificate expired a year ago, but certificates from D-LINK remained valid until the detection of a malicious campaign. Signing malware with digital certificates simplifies bypassing antivirus and other security solutions, but attackers mostly use fake or long-expired certificates.

BlackTech cyber-espionage group has a wide range of backdoors and multifunctional modular malware in the arsenal, and the abusing of legitimate certificates allows them to avoid detection for a long time. To uncover such attacks, you can use your ArcSight with Threat Hunting Framework and File Hash Analytics use cases that can help your SIEM to detect timely the signs of malware or data breach preventing further damage.