We learned this week that attackers have been distributing an information-stealing Trojan disguised as a PDF reader that steals Facebook and Amazon session cookies as well as sensitive data from the Facebook Ads Manager. The attack was made public when MalwareHunterTeam posted that numerous sites were distributing a fake PDF editing program called 'PDFreader'.
According to Bleeping Computer, the data stolen includes session cookies, access tokens, account ids, advertising email address, associated pages, credit card info (number, expiration date), PayPal email, ad balances, spending limits, etc. The site also warns that attackers “could potentially use these stolen Facebook cookies to access accounts and use them to create their own ad campaigns.”
But, perhaps the most disturbing element of this attack is that its executables were signed by digital certificates issued by a legitimate Certificate Authority (CA). (Apparently, at least one of the digital certificates used in the attack was issued by Sectigo to "Rakete Content Gmbh".)
Why is this so frightening? Kevin Bocek, Venafi Vice President of Security Strategy and Threat Intelligence notes, “Organizations use code signing to decide what software can run on their machines and devices. Unfortunately, attackers can use compromised or fraudulent code signing credentials to disguise malware as a trusted program.”
To better understand the impact of code-signed malware and how the misuse of machine identities in general undermines our trust in the digital economy, we asked several experts to weigh in on this attack. Here are some of their responses:
Kim Crawley, Information Security Content Writer
Cybersecurity professionals often like to believe that they can't be fooled by Trojans. But I looked at screenshots of the website that's distributing PDFreader, and it might have fooled me. The name is really generic, perhaps that's the only thing that might have tipped me off. But if I hadn't gotten enough sleep or I was in a hurry for an application that can open PDFs, I may still have clicked on the download link. When we try to educate users about avoiding Trojans and other forms of social engineering, we must be humble about our own ability to be deceived. Also if the web browser determined the TLS certificates being used to be secure, that's still no guarantee that the website's safe. That's a common misconception.
Stealing Facebook cookies is serious business. Most people spend much of their lives on the platform. People and businesses may have sensitive financial data linked to their Facebook accounts. And with some consumer IoT devices interacting with Facebook APIs, the sky's the limit for how destructive stealing Facebook cookies may be.
Jing Xie, Venafi Security Researcher
Overall, our cybersecurity awareness as a whole has come a long way. We've accepted that a piece of legitimate software moving in the digital world must have an identity, and this is often represented by a code signing certificate issued by a Certificate Authority.
However, we’re entering a new stage in our security practices. We are seeing, and fighting, the abuse and misuse of legitimate software identities and this calls for a re-examination and re-positioning of our techniques.
This attack is a perfect example of our new challenges. We must be extra cautious in the future when visiting and trusting websites, even those that have been issued certificates.
Dave Howe, Security Analyst
From the report, I gather that this software (or at least the installer for it) is claimed to be digitally signed by a German advertising agency (Rocket Content) using a certificate issued by Sectigo (formerly Comodo) in the last couple of weeks. This COULD be a stolen signing certificate, but equally so could be corporate identity theft with the CA fooled into issuing the certificate (not a difficult task, sadly, provided the payment clears). Or it could be that the certificate was issued to a front company for malware—although they appear to be a legitimate company going back over a decade, despite the lack of a competent website.
We have to remember that commercial CAs (and there appears to have been significant consolidation of authorities in recent years) are there primarily to sell digital certificates at whatever rate the market will bear. In addition, many companies where software creation is not a core business unit, can be careless with control of their signing keys. Plus, "packaged" companies can be bought cheaply, and you have to consider obtaining a valid signing key to be only a speed bump to a sufficiently tech-savvy criminal, not a significant deterrent.
Mark Miller, Venafi Director of Enterprise Security Support
Certificate authorities are in the business of trust; users are trained to trust a URL if they see a padlock in the address bar. Trust is a precious commodity on the Internet and attackers are more than willing to exploit it for their own personal gain.
We’re in the middle of an intense industry push to encrypt the entire web. Unfortunately, this trend has been a double-edged sword. If a bad actor purchases a certificate from a public CA, they are essentially buying trust. Attacks like the one that target Facebook ad manager and Amazon session cookies are not uncommon.
Trojans have been distributed by websites with certificates before, and this will continue in the future.
During topical seasons, such as election years, we will probably see an increase in traffic pointing you to malicious ends. If anyone can buy a trusted certificate to sign their code, then we need to be extremely vigilant when visiting websites and downloading applications. Besides only focusing on a trusted certificate, users should always check that the source is known and good to the best of their ability.
Anastasios Arampatzis, Information Security Writer
Samples of this malware were digitally signed to give them a touch of authenticity. Sadly, digital certificates for signing Windows EXE files aren’t that difficult for criminals to acquire.
There are several approaches a malicious actor can acquire digital certificates in other people’s names, such as stealing a certificate by hacking into a company server, discovering a certificate that was accidentally included in a public software upload, pretending to represent a company and buy a certificate in its name, or simply buying it in the Dark Web.
This malware once installed is digging into the browser’s database of cookies to look for authentication tokens that can be used to do Facebook lookups to reveal your ad spending. Interestingly enough, some of the samples of this malware were signed with a certificate that appeared to belong to a company associated with adware.
What can you do?
Kim Crawley recommends a stronger process for user education. “it may help to have a trusted resource online that identifies safe freeware and open source software for common purposes like opening PDFs, office productivity, media players, and so on.”
Anastasios Arampatzis recommends more specific steps you can take.
- Watch out for emails or websites that urge you to install “a new document reader or video viewer” to display their content.
- Be suspicious if apps pop up User Access Control warnings asking for powers you don’t think they need.
- Log out of websites and online services when you aren’t using them.
- Guard your cryptographic signing certificates. If you’re a developer and you let your code signing certificates fall into the hands of crooks, you’ve become part of the problem, not the solution.
Find out why Venafi Next Gen Code Signing is different.