Data Thieves Test-Drive Unique Certificate Abuse Tactic

Attackers are employing a new type of certificate abuse in an attempt to spread info-stealing malware, with the aim of collecting credentials and other sensitive data. In some instances, the goal is to steal cryptocurrency from Windows systems.

The campaign uses search engine optimization (SEO) poisoning to deliver search results featuring malicious pages promoting illegal software cracks and downloads. In the background, the pages deliver remote access Trojans (RATs) known as LummaC2, and RecordBreaker (aka Raccoon Stealer V2) researchers from South Korea-based AhnLab revealed in a blog post on Oct. 10.

Notably, the malware uses abnormal certificates featuring Subject Name and Issuer Name fields that have unusually long strings, which means they require specific tools or infrastructure to inspect the certificates and are not visible in Windows systems.
Specifically, the signature strings include Arabic, Japanese, and other non-English languages, along with special characters and punctuation marks, diverging from the typical English character string structures, the researchers noted.

The latest sample currently in circulation consists of a string with a URL-encoded malicious script designed to download and execute PowerShell commands from a specific address, although the sample observed by researchers was unsuccessful in both downloading and execution.

"Similar samples of this kind have been consistently distributed with slight structural variations for over two months, suggesting a specific intent behind this action," researcher KDH of the AhnLab Security Emergency Response Center wrote in the post.
In addition to its delivery through websites promoting illegal cracks and downloads — such as a legitimate .NET installer — the researchers also observed RaccoonStealer V2 being distributed through YouTube and other malware.

Novel Type of Certificate Abuse

While the certificates likely would fail any signature verification since they are incorrect, they could confuse and thus slip past some defenses. Indeed, certificate abuse is a common tactic used by threat actors, but they typically go about it in a different way.

"Malware often disguise themselves with normal certificates," KDH wrote. "That is, typically threat actors deliver malware that have legitimately signed certificates that can be verified, thus appearing to be authentic software that is then cleared to be successfully downloaded and executed."

That's the tactic that threat actors responsible for the prolific RedLine and Vidar stealer malwares were recently seen using, distributing ransomware payloads signed with Extended Validation (EV) certifications that allowed them to slip past email security, researchers from TrendMicro revealed in a recent blog post.

Like those stealers, LummaC2 and Raccoon Stealer are both familiar to security researchers and have various malicious functionality, but the primary focus is on stealing data from the systems they infect.
"Upon infection, they can transmit sensitive user information such as browser-saved account credentials, documents, cryptocurrency wallet files, etc., to the threat actor, potentially resulting in severe secondary damages," according to the post.

"Furthermore, an additional piece of malware designated by the threat actor gets installed, enabling continuous malicious behaviors."
While it's clear that the long-string certificate technique is being tinkered with and only partially successful thus far, users should be aware of the approach. The AhnLab researchers urged Windows users to take caution when downloading software online, especially from sites known for delivering illegal versions of popular applications. They also provided various indicators of compromise and a list of command-and-control domains associated with the delivery of both LummaC2 and Raccoon Stealer V2.