Duqu 2.0 attackers used legitimate digital certificate issued by Foxconn to sign driver

Kaspersky Lab researchers discovered that Duqu 2.0 attackers used a stolen Foxconn digital certificate to sign a driver and sneak their malware under security radar.

Lee Davy (Creative Commons BY or BY-SA)

Should we still trust digital certificates as a reliable tool for computer code validation? Maybe not as Kaspersky Lab’s newest Duqu 2.0 analysis found that the attackers used stolen digital certificates issued to Foxconn to sneak their malware under security radar.

Kaspersky Lab researchers said on Monday:

The attackers created an unusual persistence module which they deploy on compromised networks. It serves a double function – it also supports a hidden C&C communication scheme. This organization-level persistence is achieved by a driver that is installed as a normal system service. On 64-bit systems, this implies a strict requirement for an Authenticode digital signature. We have seen two such persistence drivers deployed in the course of attacks.

By using legitimate certificates to install “malicious drivers on firewalls, gateways or any other servers that have direct Internet access on one side and corporate network access on the other side,” attackers can sneak Duqu 2.0 past security solutions and redirect traffic to specific ports; by using the certificates to sign evil drivers, the attackers can “access internal infrastructure from the Internet, avoid log records in corporate proxy servers and maintain a form of persistence after all.”

“Stealing digital certificates and signing malware on behalf of legitimate businesses seems to be a regular trick from the Duqu attackers,” the research team said. “We have no confirmation that any of these vendors have been compromised but our indicators definitely show that the Duqu attackers have a major interest in hardware manufacturers such as Foxconn, Realtek and Jmicron.”

Perhaps the most important part of this attack strategy is the digital signature used for the 64-bit driver. Because this is a mandatory requirement on 64-bit Windows systems, the driver had a valid digital signature. It was signed by “HON HAI PRECISION INDUSTRY CO. LTD.” (also known as “Foxconn Technology Group”, one of the world’s largest electronics manufacturers).

Foxconn digital signature of attacker’s driver Kaspersky Lab

Kaspersky Lab pointed out that Foxconn manufactures products like Apple’s iPad and iPhone, Sony’s PlayStation 4, Microsoft’s Xbox One, Nintendo’s Wii U and BlackBerry. Other major customers of Foxconn have included or still include some of the world’s largest enterprises such as Acer, Amazon, Cisco, Dell, Google, Hewlett-Packard, Toshiba and Vizio.

The researchers have not found any other malware signed with the same certificates, which “rules out the possibility that the certificates have been leaked and are being used by multiple groups. It also seems to indicate the Duqu attackers are the only ones who have access to these certificates, which strengthens the theory they hacked the hardware manufacturers in order to get these certificates.”

Additionally, the researchers said the Duqu attackers have access to multiple certificates and are careful not to reuse the same digital certificate twice. “If that’s true, then it means that the attackers might have enough alternative stolen digital certificates from other manufacturers that are ready to be used during the next targeted attack. This would be extremely alarming because it effectively undermines trust in digital certificates.”

Kaspersky researchers also noted, “Both Verisign and HON HAI (aka Foxconn) have been informed about the use of the certificate to sign the Duqu 2.0 malware.”

Copyright © 2015 IDG Communications, Inc.

Subscribe today! Get the best in cybersecurity, delivered to your inbox.