Cybercriminals Exploit New Method of Malware Distribution
Recently, cybercriminals have been utilizing a sophisticated method of spreading malware through abuse of certificates. The primary objective of this campaign is to steal accounting data, other confidential information, and in some cases, cryptocurrency. The method employed involves poisoning search results to redirect users to malicious pages offering hacking software.
The hackers deliver victims to malicious sites, while foregrounding illegal software “cracks” on the pages. As reported by ASEC researchers from South Korea on October 10, the background installation of remote access malware, known as Lummac2 and Recordbreaker (aka Raccoon Stealer V2), takes place without the victim’s knowledge.
In addition to the distribution through websites hosting illegal software, researchers have identified instances of Recordbreaker being spread through YouTube and other malicious programs.
What is noteworthy is that the malware uses non-standard certificates with abnormally long lines in the “Subject Name” and “Issuer Name” fields. Consequently, these certificates remain invisible to Windows systems. The signatures are composed of Arabic, Japanese, and other non-English languages, as well as special symbols.
The most recent occurrence of this malicious activity involves a line of malicious code designed to load and execute PowerShell commands.
“Such samples have been consistently distributed with slight structural changes for more than two months, suggesting a specific intention behind these actions,” wrote an ASEC researcher.
While these certificates would likely fail a signature check, they can still confuse and potentially bypass certain security measures. The abuse of certificates has become a common tactic used by threats.
Lummac2 and Raccoon Stealer are well-known among security specialists. These malware can transmit sensitive information, including accounting data, documents, cryptocurrency wallet files, and