The Duqu 2.0 Uses Foxconn's Digital Signature
Researchers at Kaspersky Labs has taken a deeper look into the latest version of malware known as Duqu and they discovered that it used digital certificates from contract manufacturer Hon Hai Precision Industry, also known as Foxconn, to help mask its activity. Digital certificates are used for encrypting data and verifying the legitimacy of websites and applications.
The group that created Duqu is considered to be one of the most sophisticated cyberespionage teams. Researchers have noted the malware appears to be related to Stuxnet, the worm developed by the U.S. and Israel to sabotage Iran's nuclear program.
During previous research into Stuxnet and Duqu, the researchers had observed digitally signed malware (using malicious Jmicron and Realtek certs).
The digital certificates and signing malware on behalf of legitimate businesses seems to be a regular trick from the Duqu attackers. The security firm has no confirmation that any of these vendors have been compromised but indicators show that the Duqu attackers have a major interest in hardware manufacturers such as Foxconn, Realtek and Jmicron. This was confirmed in the 2014/2015 attacks, when Kaspersky observed infections associated with hardware manufacturers from APAC, including ICS and SCADA computer equipment manufacturers.
Besides these Duqu drivers the reseatches haven’t uncovered any other malware signed with the same certificates. That rules out the possibility that the certificates have been leaked and are being used by multiple groups. It also seems to indicate the Duqu attackers are the only ones who have access to these certificates, which strengthens the theory they hacked the hardware manufacturers in order to get these certificates.
Finally, the Duqu attackers seem to be careful enough not to use same digital certificate twice. If that’s true, then it means that the attackers might have enough alternative stolen digital certificates from other manufacturers that are ready to be used during the next targeted attack.
Kasperky labs has informed both Verisign and HON HAI about the use of the certificate to sign the Duqu 2.0 malware