Malware developers are often abusing digital signatures in order to ensure that their creations have a better chance of slipping by unnoticed. In one attack analyzed by experts from FireEye, cybercriminals have been using a couple of files apparently signed with valid digital certificates.
When the main dropper is executed, a .dll file and a .exe file are dropped. The .dll file is signed with a forged digital signature apparently from Kaspersky.
The executable – QQLive.exe – is signed with a certificate from Chinese company Tencent Technology, better known as the creator of the popular QQ instant messaging service.
The interesting part is that QQLive.exe is a legitimate application that can be downloaded from the QQ website. The trick in this case is that the role of QQLive.exe is to facilitate the loading of the malware’s core DLL.
“By itself, the file poses no risk, but when this QQLive.exe is used to load the .DLL, it becomes a catalyst for infection,” FireEye’s J. Gomez noted
Tencent has been informed that its application is utilized for malicious purposes. The company has admitted that this isn’t the first time when this is happening, but it has still failed to revoke the certificate that is being used to sign the file.
Experts believe that the cybercriminals are using a QQ component because it’s not unusual for such software artifacts to be present on computers, considering that the instant messaging platform is utilized by well over 600 million users.
While in this particular case, the malware authors haven’t used a digital certificate to sign their creation, it’s clear that this technique can also be efficient to increase the risk level of the environments it infects.
“While digital signatures are supposed to help establish ‘trust’ and bolster security, an inconvenient truth is, in today's threat environment, it's getting more and more difficult to determine whom to actually trust,” Gomez concluded.