**Blogs** **Security Response** # Security Response ### +3 **3 Votes** ##### Symantec Official Blog ## Suckfly: Revealing the secret life of your code signing certificates #### A China-based APT group has an insatiable appetite for stolen code- signing certificates. **By: Jon_DiMaggio** **SYMANTEC EMPLOYEE** **Created 15 Mar 2016** **0** **Share** **Many security-minded organizations utilize code signing to provide an additional layer of** **security and authenticity for their software and files. Code signing is carried out using a type** **of digital certificate known as a code-signing certificate. The process of code signing** **validates the authenticity of legitimate software by confirming that an application is from the** ----- **also live an unintended secret life providing cover for attack groups, such as the Suckfly** **APT group.** **In late 2015, Symantec identified suspicious activity involving a hacking tool used in a** **malicious manner against one of our customers. Normally, this is considered a low-level alert** **easily defeated by security software. In this case, however, the hacktool had an unusual** **characteristic not typically seen with this type of file; it was signed with a valid code-signing** **certificate. Many hacktools are made for less than ethical purposes and are freely available,** **so this was an initial red flag, which led us to investigate further.** **As our investigation continued, we soon realized this was much larger than a few hacktools.** **We discovered Suckfly, an advanced threat group, conducting targeted attacks using** **multiple stolen certificates, as well as hacktools, and custom malware. The group had** **obtained the certificates through pre-attack operations before commencing targeted attacks** **against a number of government and commercial organizations spread across multiple** **continents over a two-year period. This type of activity and the malicious use of stolen** **certificates emphasizes the importance of safeguarding certificates to prevent them from** **being used maliciously.** **An appetite for stolen code-signing certificates** **Suckfly has a number of hacktools and malware varieties at its disposal. Figure 1 identifies** **the malware and tools based on functionality and the number of signed files with unique** **hashes associated with them.** **_Figure 1_** **_Suckfly hacking tools and malware characterized by functionality_** ----- **message block (SMB) scanner. The organization associated with this certificate is a South** **Korean mobile software developer. While initially suspicious because the hacktool was** **signed, we became more suspicious when we realized a mobile software developer had** **signed it, since this is not the type of software typically associated with a mobile application.** **Based on this discovery, we began to look for other binaries signed with the South Korean** **mobile software developer's certificate. This led to the discovery of three additional hacktools** **also signed using this certificate. In addition to being signed with a stolen certificate, the** **identified hacktools had been used in suspicious activity against a US-based health provider** **operating in India. This evidence indicates that the certificate’s rightful owner either misused** **it or it had been stolen from them. Symantec worked with the certificate owner to confirm** **that the hacktool was not associated with them.** **Following the trail further, we traced malicious traffic back to where it originated from and** **looked for additional evidence to indicate that the attacker persistently used the same** **infrastructure. We discovered the activity originated from three separate IP addresses, all** **located in Chengdu, China.** **In addition to the traffic originating from Chengdu, we identified a selection of hacktools and** **malware signed using nine stolen certificates.** **The nine stolen certificates originated from nine different companies who are physically** **located close together around the central districts of Seoul, South Korea. Figure 2 shows the** **region in which the companies are located.** ----- **_certificates are located (Map data © 2016 SK planet)_** **While we do not know the exact circumstances of how the certificates were stolen, the most** **likely scenario was that the companies were breached with malware that had the ability to** **search for and extract certificates from within the organization. We have seen this capability** **built into a wide range of malware for a number of years now.** **The organizations who owned the stolen certificates were from four industries (see Figure** **3).** **_Figure 3. Owners of stolen certificates, by industry_** **A timeline of misuse** **We don't know the exact date Suckfly stole the certificates from the South Korean** **organizations. However, by analyzing the dates we first saw the certificates paired with** **hacktools or malware, we can gain insight into when the certificates may have been stolen.** **Figure 4 details how many times each stolen certificate was used in a given month.** ----- **_Figure 4. Tracking Suckfly’s use of stolen certificates, by month_** **The first sighting of three of the nine stolen certificates being used maliciously occurred in** **early 2014. Those three certificates were the only ones used in 2014, making it likely that** **the other six were not compromised until 2015. All nine certificates were used maliciously in** **2015.** **Based on the data in Figure 4, the first certificates used belonged to Company A** **(educational software developer) and Company B (video game developer #2). Company A's** **certificate was used for over a year, from April 2014 until June 2015 and Company B's** **certificate was used for almost a year, from July 2014 until June 2015. When we discovered** **this activity, neither company was aware that their certificates had been stolen or how they** **were being used. Since the companies were unaware of the activity, neither stolen certificate** **had been revoked. When a certificate is revoked, the computer displays a window explaining** **that the certificate cannot be verified and should not be trusted before asking the user if they** **want to continue with the installation.** **Signed, sealed, and delivered** **As noted earlier, the stolen certificates Symantec identified in this investigation were used to** **sign both hacking tools and malware. Further analysis of the malware identified what looks** **like a custom back door. We believe Suckfly specifically developed the back door for use in** **[cyberespionage campaigns. Symantec detects this threat as Backdoor.Nidiran.](https://www.symantec.com/security_response/writeup.jsp?docid=2015-120123-5521-99)** **Analysis of Nidiran samples determined that the back door had been updated three times** ----- **and likely performed to add capabilities and avoid detection. While the malware is custom, it** **only provides the attackers with standard back door capabilities.** **Suckfly delivered Nidiran through a strategic web compromise. Specifically, the threat group** **used a specially crafted web page to deliver an exploit for the Microsoft Windows OLE** **Remote Code Execution Vulnerability (CVE-2014-6332), which affects specific versions of** **Microsoft Windows. This exploit is triggered when a potential victim browses to a malicious** **page using Internet Explorer, which can allow the attacker to execute code with the same** **privileges as the currently logged-in user.** **Once exploit has been achieved, Nidiran is delivered through a self-extracting executable** **that extracts the components to a .tmp folder after it has been executed. The threat then** **executes “svchost.exe”, a PE file, which is actually a clean tool known as OLEVIEW.EXE.** **The executable will then load iviewers.dll, which is normally a clean, legitimate file. Attackers** **have been known to distribute malicious files masquerading as the legitimate iviewers.dll file** **and then use DLL load hijacking to execute the malicious code and infect the computer. This** **[technique is associated with the Korplug/Plug-x malware and is frequently used in China-](http://www.symantec.com/connect/blogs/backdoorkorplug-loading-malicious-components-through-trusted-applications)** **based cyberespionage activity.** **High demand for code-signing certificates** **Suckfly isn’t the only attack group to use certificates to sign malware but they may be the** **[most prolific collectors of them. After all, Stuxnet, widely regarded as the world’s first known](http://www.symantec.com/security_response/writeup.jsp?docid=2010-071400-3123-99)** **[cyberweapon, was signed using stolen certificates from companies based in Taiwan with](http://www.welivesecurity.com/2010/07/22/why-steal-digital-certificates/)** **[dates much earlier than Suckfly. Other cyberespionage groups, including Black Vine and](http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-black-vine-cyberespionage-group.pdf)** **[Hidden Lynx, have also used stolen certificates in their campaigns.](https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact=8&ved=0ahUKEwjJxpKJjKjLAhUY1GMKHac1DkEQFgggMAA&url=http%3A%2F%2Fwww.symantec.com%2Fcontent%2Fen%2Fus%2Fenterprise%2Fmedia%2Fsecurity_response%2Fwhitepapers%2Fhidden_lynx.pdf&usg=AFQjCNHSDsX6EuF1cDE0DELMKbjv4MP3lw)** **In April 2013, a third-party vendor published a report about a cyberespionage group using** **[custom malware and stolen certificates in their operations. The report documented an](https://threatpost.com/winnti-cyberespionage-campaign-targets-gaming-companies-041113/77717/)** **advanced threat group they attributed to China. Symantec tracks the group behind this** **[activity as Blackfly and detects the malware they use as Backdoor.Winnti.](https://www.symantec.com/security_response/writeup.jsp?docid=2011-102716-2809-99)** **The Blackfly attacks share some similarities with the more recent Suckfly attacks. Blackfly** **began with a campaign to steal certificates, which were later used to sign malware used in** **targeted attacks. The certificates Blackfly stole were also from South Korean companies,** **primarily in the video game and software development industry. Another similarity is that** **Suckfly stole a certificate from Company D (see Figure 4) less than two years after Blackfly** **had stolen a certificate from the same company. While the stolen certificates were different,** **and stolen in separate instances, they were both used with custom malware in targeted** **attacks originating from China.** ----- **investigation and the other attacks we have discussed. Attackers are taking the time and** **effort to steal certificates because it is becoming necessary to gain a foothold on a targeted** **computer. Attempts to sign malware with code-signing certificates have become more** **common as the Internet and security systems have moved towards a more trust and** **reputation oriented model. This means that untrusted software may not be allowed to run** **unless it is signed.** **[As we noted in our previous research on the Apple threat landscape, some operating](http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/hidden_lynx.pdf)** **systems, such as Mac OS X, are configured by default to only allow applications to run if** **they have been signed with a valid certificate, meaning they are trusted.** **_Figure 5. OS X can be configured to only permit trusted apps to execute_** **However, using valid code-signing certificates stolen from organizations with a positive** **reputation can allow attackers to piggyback on that company’s trust, making it easier to slip** **by these defenses and gain access to targeted computers.** **Conclusion** **Suckfly paints a stark picture of where cyberattack groups and cybercriminals are focusing** **their attentions. Our investigation shines a light on an often unknown and seedier secret life** **of code signing certificates which is completely unknown to their owners The implications of** ----- **from falling into the wrong hands. It is important to give certificates the protection they need** **so they can't be used maliciously.** **The certificates are only as secure as the safeguards that organizations put around them.** **Once a certificate has been compromised, so has the reputation of the organization who** **signed it. An organization whose certificate has been stolen and used to sign malware will** **always be associated with that activity.** **Symantec monitors for this type of activity to help prevent organizations from being tied to** **malicious actions undertaken with their stolen certificates. During the course of this** **investigation, we ensured that all certificates compromised by Suckfly were revoked and the** **affected companies notified.** **Over the past few years, we have seen a number of advanced threats and cybercrime** **groups who have stolen code-signing certificates. In all of the cases involving an advanced** **threat, the certificates were used to disguise malware as a legitimate file or application.** **As this trend grows, it is more important than ever for organizations to maintain strong** **cybersecurity practices and store their certificates and corresponding keys in a secure** **environment. Using encryption, and services such as Symantec’s Extended Validation (EV)** **[Code Signing, and Symantec’s Secure App Service can provide additional layers of security.](https://www.symantec.com/code-signing/secure-app-service/)** **Protection** **Symantec has the following detections in place to protect against Suckfly’s malware:** **Antivirus** **[Backdoor.Nidiran](https://www.symantec.com/security_response/writeup.jsp?docid=2015-120123-5521-99)** **[Backdoor.Nidiran!g1](http://www.symantec.com/security_response/writeup.jsp?docid=2015-120200-0342-99)** **[Hacktool](http://www.symantec.com/security_response/writeup.jsp?docid=2001-081707-2550-99)** **[Exp.CVE-2014-6332](https://www.symantec.com/security_response/writeup.jsp?docid=2014-111313-5510-99)** **Intrusion prevention system** **[Web Attack: Microsoft OleAut32 RCE CVE-2014-6332](http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=28032)** **[Web Attack: Microsoft OleAut32 RCE CVE-2014-6332 2](http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=27813)** **[Web Attack: Microsoft OleAut32 RCE CVE-2014-6332 4](http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=70116)** **[Web Attack: OLEAUT32 CVE-2014-6332 3](http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=28890)** **[System Infected: Trojan.Backdoor Activity 120](https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=28977)** **Further information** ----- **[visit our Code Signing Information Center.](https://www.symantec.com/page.jsp?id=code-signing-information-center)** **To learn more about how best to protect your code-signing certificates, read our** **[whitepaper: Securing Your Private Keys As Best Practice for Code Signing Certificates](https://www.symantec.com/content/en/us/enterprise/white_papers/b-securing-your-private-keys-csc-wp.pdf)** **Tags: Security, Security Response, Endpoint Protection (AntiVirus), APT, Backdoor.Nidiran,** **Backdoor.Winnti, black vine, China, code-signing certificates, digital certificate, Hacktool, Hidden Lynx,** **, plug-x, Stuxnet, Suckfly** **Subscriptions (0)** **Jon_DiMaggio** **View Profile** **[Login or Register to post comments.](https://www-secure.symantec.com/connect/user/login?destination=node%2F3577771)** -----