Jump to content

'Destover' Malware Now Digitally Signed by Sony Certificates


Reefa

Recommended Posts

Several days ago, our products detected an unusual sample from the Destover family. The Destover family of trojans has been used in the high profile attacks known as DarkSeoul, in March 2013, and more recently, in the attack against Sony pictures in November 2014. We wrote about it on December 4th, including the possible links with the Shamoon attack from 2012.

The new sample is unusual in the sense it is signed by a valid digital certificate from Sony:

signature_is_ok.png

The signed sample has been previously observed in a non signed form, as MD5: 6467c6df4ba4526c7f7a7bc950bd47eb and appears to have been compiled in July 2014.

The new sample has the MD5 e904bf93403c0fb08b9683a9e858c73e and appears to have been signed on December 5th, 2014, just a few days ago.

timestamp.png

timestamp.png

Functionally, the backdoor contains two C&Cs and will alternately try to connect to both, with delays between connections:

  • 208.105.226[.]235:443 - United States Champlain Time Warner Cable Internet Llc
  • 203.131.222[.]102:443 - Thailand Bangkok Thammasat University

So what does this mean? The stolen Sony certificates (which were also leaked by the attackers) can be used to sign other malicious samples. In turn, these can be further used in other attacks. Because the Sony digital certificates are trusted by security solutions, this makes attacks more effective. We've seen attackers leverage trusted certificates in the past, as a means of bypassing whitelisting software and default-deny policies.

We've already reported the digital certificate to COMODO and we hope it will be blacklisted soon. Kaspersky products will still detect the malware samples even if signed by digital certificates.

Stolen certificate serial number:

  • 01 e2 b4 f7 59 81 1c 64 37 9f ca 0b e7 6d 2d ce

Thumbprint:

  • ‎8d f4 6b 5f da c2 eb 3b 47 57 f9 98 66 c1 99 ff 2b 13 42 7a

Source

Link to comment
Share on other sites


  • Replies 4
  • Views 1.6k
  • Created
  • Last Reply
Ballistic Gelatin

Years ago, when it was discovered that Sony surreptitiously embedded a rootkit in one of its music CDs, I swore I'd never buy another Sony product again. And I haven't.

Hey, Sony, what goes around, comes around!

Link to comment
Share on other sites


Years ago, when it was discovered that Sony surreptitiously embedded a rootkit in one of its music CDs, I swore I'd never buy another Sony product again. And I haven't.

Hey, Sony, what goes around, comes around!

you should be sending sony an email once a year to tell them that another year has passed where you did not buy any of their stuff

Link to comment
Share on other sites


So what will happen to sony?

Is this its end or will be a shitty year next year for all its employees, stakeholders and avid fanboy consumers? :think:

Link to comment
Share on other sites


Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...