Breaking News

EnGenius Brings Wi-Fi 7 to Small Businesses with Affordable ECW510 Access Point DJI to Showcase New Mic 3 and Full Product Portfolio at Berlin’s IFA MSI Unveils MAG 272QP QD-OLED X50 Monitor Sony completes its INZONE gaming gear range with new headsets and more GIGABYTE Announces Availability of 27” QD-OLED Gaming Monitor AORUS FO27Q5P

logo

The Duqu 2.0 Uses Foxconn's Digital Signature

The Duqu 2.0 Uses Foxconn's Digital Signature

Enterprise & IT 0

Researchers at Kaspersky Labs has taken a deeper look into the latest version of malware known as Duqu and they discovered that it used digital certificates from contract manufacturer Hon Hai Precision Industry, also known as Foxconn, to help mask its activity. Digital certificates are used for encrypting data and verifying the legitimacy of websites and applications.

The group that created Duqu is considered to be one of the most sophisticated cyberespionage teams. Researchers have noted the malware appears to be related to Stuxnet, the worm developed by the U.S. and Israel to sabotage Iran's nuclear program.

During previous research into Stuxnet and Duqu, the researchers had observed digitally signed malware (using malicious Jmicron and Realtek certs).

The digital certificates and signing malware on behalf of legitimate businesses seems to be a regular trick from the Duqu attackers. The security firm has no confirmation that any of these vendors have been compromised but indicators show that the Duqu attackers have a major interest in hardware manufacturers such as Foxconn, Realtek and Jmicron. This was confirmed in the 2014/2015 attacks, when Kaspersky observed infections associated with hardware manufacturers from APAC, including ICS and SCADA computer equipment manufacturers.

Besides these Duqu drivers the reseatches haven’t uncovered any other malware signed with the same certificates. That rules out the possibility that the certificates have been leaked and are being used by multiple groups. It also seems to indicate the Duqu attackers are the only ones who have access to these certificates, which strengthens the theory they hacked the hardware manufacturers in order to get these certificates.

Finally, the Duqu attackers seem to be careful enough not to use same digital certificate twice. If that’s true, then it means that the attackers might have enough alternative stolen digital certificates from other manufacturers that are ready to be used during the next targeted attack.

Kasperky labs has informed both Verisign and HON HAI about the use of the certificate to sign the Duqu 2.0 malware

Related Posts