It’s bad enough when your website visitors receive an expired certificate warning that indicates a lapse in your security. But it’s even worse when these warnings actually harm visitors by allowing malware to download on their computers. Researchers spotted an attack campaign in which malicious actors used fake expired security certificate notifications to target users with malware.
Inside This Clever Attack Campaign
Kaspersky Lab discovered that those behind the campaign were using various infected websites to advance their malicious ends. Those websites ranged from a zoo to a vendor of auto parts, with the earliest compromises dating back to mid-January 2020.
On each infected website, the digital criminals inserted code that loaded the malicious jquery.js script “ldfidfa[.]pw/jquery.js?&up= &ts= &r= &u= &c=.” The script, in turn, loaded an iframe from https[:]//ldfidfa[.]pw//chrome.html and displayed the iframe’s content as an overlay with the exact same dimensions as the page—all except for the address bar, which still displayed the legitimate web address. Via this technique, attackers created the appearance of a security notification that urged users to update an expired security certificate.
A screenshot of the fake security certificate notification. (Source: Kaspersky Lab)
Security certificate is out of date.
Detected a potential security risk and has not extended the transition to ldfidfa.pw
Installing a security certificate may allow this connection to succeed.
Not surprisingly, nothing good happened when users decided to click on the “Install Recommended” button. As Kaspersky Lab noted in its research:
“Clicking the Install (Recommended) button on the banner initiates the download of the file Certificate_Update_v02.2020.exe, which we detect as Exploit.Win32.ShellCode.gen. Analysis of the file showed it to be Trojan-Downloader.Win32.Buerak, packed using Nullsoft Scriptable Install System. It is not the only malware distributed by the attackers. For example, Backdoor.Win32.Mokes was spread via the same campaign earlier in January.”
CIO Study: Automation Vital to Address Shorter Lifespans and Massive Growth of TLS/SSL Certificates
A historical look at Mokes
The Russian security firm first detected the Windows and Linux versions of the Mokes backdoor back in January 2016. Less than a year later, the company’s security tools came across the threat’s OS X variant “Backdoor.OSX.Mokes.a.”
All of these versions of the cross-platform backdoor were capable of executing arbitrary commands on a victim’s computer. Via these commands, Mokes could then proceed to steal various pieces of information from its victims including screenshots, audio and video files, Office documents and keystrokes. It then exfiltrated this data back to its command-and-control (C&C) server using AES-256-CBC encrypted communication.
Best security practices for prganizations
The campaign described above represents just the latest disguise employed by digital criminals to conceal their malware. In the past, some attack campaigns have used a fake browser update to prey upon users. Other operations have leveraged phony updates to Adobe Flash Player.
Acknowledging these efforts, organizations should make an effort to secure their domains against compromise. They can do this by creating a strong set of credentials to protect their domains against brute force attacks. As an added layer of protection, organizations should also activate MFA to safeguard their domains in the event that their credentials are compromised.
Pratik Savla, Senior Security Engineer at Venafi, suspects that the security community will see more of these types of attacks in the future. In light of this likelihood, Selva feels that organizations need to do even more to safeguard their websites:
“To minimize the risk of these kinds of incidents the site owners need to regularly patch any third-party web applications they use to remediate known vulnerabilities and regularly inspect their pages for any kind of unauthorized change or modification. They also need to be on the look-out for any kind of obfuscated JavaScript within webpages. Web users need to diligently patch all client applications. More technical users may also be able to inspect the source of a site page and report any instances of compromise to the site owner. Otherwise, even with widespread awareness of this type of campaign/attack, users are still at risk of being compromised.”
Do you know where all your machine identities are located and how they are being used?
Get a 30 Day Free Trial of TLS Protect Cloud, Automated Certificate Management.
Related posts