Malware Using Fake Certificate to Evade Detection

Contributor: Hiroshi Shinotsuka

Malware authors are always seeking new ways to hone their craft. As cybercriminals are facing a multitude of preventative technologies from Symantec and users are becoming more security conscious, it is becoming increasingly difficult for the bad guys to win.

Recently, during research, we came across an oddly named sample, Word13.exe. Upon first glance, it appears to be a digitally signed file from Adobe.

Fake Certificate 4.jpg

Figure 1. Word13.exe file signed by Adobe

Fake Certificate 1.png

Figure 2. Fake digital signature properties

But upon closer inspection we found something very interesting.

Fake Certificate 2.png

Figure 3. Fake signature and certificate

It’s fake, as the “Issued By” field says "Adobe Systems Incorporated" - Adobe is a VeriSign customer. Also, in the certificate information, we see that the CA Root certificate is not trusted - another dead giveaway.

Fake Certificate 3.png

Figure 4. Legitimate Adobe signature and certificate

Symantec has protection in place and detects this file as Backdoor.Trojan.

Backdoor.Trojan will execute and inject itself into iexplore.exe or notepad.exe and start a back door function.

It may create the following files:

  • %UserProfile%\Application Data\ aobecaps \cap.dll
  • %UserProfile%\Application Data\ aobecaps \mps.dll
  • %UserProfile%\Application Data\ aobecaps \db.dat

It connects to the following command-and-control (C&C) server on port 3337:

  • Icet**** 

This back door may then perform the following actions:

  • Steal user and computer information
  • Create folders
  • Create, download, delete, move, search for, and execute files
  • Capture screenshots
  • Emulate mouse function
  • Steal Skype information

To ensure that you do not become a victim of this threat, please ensure that your antivirus definitions are always up-to-date and that your software packages are also regularly updated. Always double check the URL of the download that is being offered and, if applicable, check the certificate and signature just to be safe.