‘Destover’ Malware Now Digitally Signed by Sony Certificates
Several days ago, our products detected an unusual sample from the Destover family. The Destover family of trojans has been used in the high profile attacks known as DarkSeoul, in March 2013, and more recently, in the attack against Sony pictures in November 2014. We wrote about it on December 4th, including the possible links with the Shamoon attack from 2012.
The new sample is unusual in the sense it is signed by a valid digital certificate from Sony:
The signed sample has been previously observed in a non signed form, as MD5: 6467c6df4ba4526c7f7a7bc950bd47eb and appears to have been compiled in July 2014.
The new sample has the MD5 e904bf93403c0fb08b9683a9e858c73e and appears to have been signed on December 5th, 2014, just a few days ago.
Functionally, the backdoor contains two C&Cs and will alternately try to connect to both, with delays between connections:
- 208.105.226[.]235:443 – United States Champlain Time Warner Cable Internet Llc
- 203.131.222[.]102:443 – Thailand Bangkok Thammasat University
So what does this mean? The stolen Sony certificates (which were also leaked by the attackers) can be used to sign other malicious samples. In turn, these can be further used in other attacks. Because the Sony digital certificates are trusted by security solutions, this makes attacks more effective. We’ve seen attackers leverage trusted certificates in the past, as a means of bypassing whitelisting software and default-deny policies.
We’ve already reported the digital certificate to COMODO and Digicert and we hope it will be blacklisted soon. Kaspersky products will still detect the malware samples even if signed by digital certificates.
Stolen certificate serial number:
- 01 e2 b4 f7 59 81 1c 64 37 9f ca 0b e7 6d 2d ce
- 8d f4 6b 5f da c2 eb 3b 47 57 f9 98 66 c1 99 ff 2b 13 42 7a