Compromised websites are being used to distribute malware through fake security certificate update requests for supposedly expired certificates. Victims of this new attack technique are infected with Trojans and backdoors.
What are Security Certificates
In cryptography, a security certificate is an electronic document used to prove the ownership of a public key. Security certificates are also known as digital certificates or identity certificates and are issued by Certification Authorities.
Security certificates are used to communicate securely between users’ browsers and website servers. The certificates include information about the key and the identity of the owner of the key. They also include the digital signature of an entity that has verified the certificates’ contents.
When digital certificates expire and are not renewed, web browsers display a message. This message lets the user know that their connection with the requested website is no longer as secure as it should be.
How Does the New Attack Technique Work?
When victims visit certain compromised websites, they are presented with a fake error message stating their certificate has expired. This error message is presented within an iframe displayed over the website’s actual contents. An iframe is a HTML document embedded inside another HTML document on a website.
The malicious iframe is designed to fit exactly within the original webpage, with the URL bar still displaying the website’s legitimate web address. According to the Kaspersky Lab security researchers who discovered this new attack technique: “… instead of the original page, the user sees a seemingly genuine banner urgently prompting to install a certificate update.”
Kaspersky researchers discovered that if users renew the supposed certificate, packed Buerak trojans or Mokes backdoors are downloaded to victims’ computers.
Buerak is a Trojan that runs on Windows systems. It can run code, tamper with computer processes and steal data. Mokes is a cross platform backdoor that can run on all major operating systems. It can execute commands on victims’ systems, take screenshots and upload files. The backdoor can also record and exfiltrate audio and video captures.