Suckfly: Revealing the secret life of your Code Signing certificates An appetite for stolen code-signing certificates Suckfly has a number of hacktools and malware varieties at its disposal. Figure 1 identifies the malware and tools based on functionality and the number of signed files with unique hashes associated with them. Following the trail further, we traced malicious traffic back to where it originated from and looked for additional evidence to indicate that the attacker persistently used the same infrastructure. We discovered the activity originated from three separate IP addresses, all located in Chengdu, China. In addition to the traffic originating from Chengdu, we identified a selection of hacktools and malware signed using nine stolen certificates. The nine stolen certificates originated from nine different companies who are physically located close together around the central districts of Seoul, South Korea. Figure 2 shows the region in which the companies are located. Figure 1. Suckfly hacking tools and malware, characterized by functionality The first signed hacktool we identified in late 2015 was a digitally signed brute-force server message block (SMB) scanner. The organization associated with this certificate is a South Korean mobile software developer. While we became initially curious because the hacktool was signed, we became more suspicious when we realized a mobile software developer had signed it, since this is not the type of software typically associated with a mobile application. Based on this discovery, we began to look for other binaries signed with the South Korean mobile software developer’s certificate. This led to the discovery of three additional hacktools also signed using this certificate. In addition to being signed with a stolen certificate, the identified hacktools had been used in suspicious activity against a US-based health Figure 2. Map showing the central districts of Seoul, where the companies with the stolen certificates are located (Map data © 2016 SK planet) While we do not know the exact circumstances of how the certificates were stolen, the most likely scenario was that the companies were breached with malware that had the ability to search for and extract certificates from within the organization. We have seen this capability built into a wide range of threats for a number of years now. provider operating in India. This evidence indicates that the certificate’s rightful owner either misused it or it had been stolen from them. Symantec worked with the certificate owner to confirm that the hacktool was not associated with them. 3 I DigiCert, Inc The organizations who owned the stolen certificates were The first sighting of three of the nine stolen certificates from four industries (see Figure 3). being used maliciously occurred in early 2014. Those three certificates were the only ones used in 2014, making it likely that the other six were not compromised until 2015. All nine certificates were used maliciously in 2015. Based on the data in Figure 4, the first certificates used belonged to Company A (educational software developer) and Company B (video game developer #2). Company A’s certificate was used for over a year, from April 2014 until June 2015 and Company B’s certificate was used for almost a year, from July 2014 until June 2015. When we discovered this activity, neither company was aware that their certificates had been stolen or how they were being used. Figure 3. Owners of stolen certificates, by industry A timeline of misuse We don’t know the exact date Suckfly stole the certificates from the South Korean organizations. However, by analyzing the dates when we first saw the certificates paired with hacktools or malware, we can gain insight into when the certificates may have been stolen. Figure 4 details how many times each stolen certificate was used in a given month. Since the companies were unaware of the activity, neither stolen certificate had been revoked. When a certificate is revoked, the computer displays a window explaining that the certificate cannot be verified and should not be trusted before asking the user if they want to continue with the installation. Signed, sealed, and delivered As noted earlier, the stolen certificates identified in this investigation were used to sign both hacking tools and malware. Further analysis of the malware identified what looks like a custom back door. We believe Suckfly specifically developed the back door for use in cyberespionage campaigns, this threat was identified as Backdoor.Nidiran. Analysis of Nidiran samples determined that the back door had been updated three times since early 2014, which fits the timeline outlined in Figure 4. The modifications were minor and likely performed to add capabilities and avoid detection. While the malware is custom, it only provides the Figure 4. Tracking Suckfly’s use of stolen certificates, by month attackers with standard back door capabilities. 4 I DigiCert, Inc Please complete the form to gain access to this content Access Now Related Resources Where You Need Trust, You Need PKI ¿Necesita Seguridad? Todo Lo Que Necesita es PKI Qui Dit Confiance, Dit PKI Top Reasons To Upgrade To Digicert Certcentral FR Top Reasons to Upgrade to Certcentral DE Top Reasons To Upgrade To Digicert Certcentral CertCentral Certificate Management Made Easy FR CertCentral Certificate Management Made Easy DE CertCentral Certificate Management Made Easy Your Quick Reference Guide to HTTPS Everywhere Is your site trusted by every visitor on every page, every time? Digicert Discovery and Automation Certificate control, insight and automation. Uninterrupted business Automating SSL/TLS Certificates and the Network Impact The cost of inadequate website security Getting Ahead of the Compliance Curve Private Certification Authority Get ahead of the compliance curve From Website Security Architecture To The Boardroom: Optimizing Your Business Safeguard Business and IoT Integrity with Secure App Service: Unrivaled code signing service and security for IoT Secure App Service
An appetite for stolen code-signing certificates Suckfly has a number of hacktools and malware varieties at its disposal. Figure 1 identifies the malware and tools based on functionality and the number of signed files with unique hashes associated with them. Following the trail further, we traced malicious traffic back to where it originated from and looked for additional evidence to indicate that the attacker persistently used the same infrastructure. We discovered the activity originated from three separate IP addresses, all located in Chengdu, China. In addition to the traffic originating from Chengdu, we identified a selection of hacktools and malware signed using nine stolen certificates. The nine stolen certificates originated from nine different companies who are physically located close together around the central districts of Seoul, South Korea. Figure 2 shows the region in which the companies are located. Figure 1. Suckfly hacking tools and malware, characterized by functionality The first signed hacktool we identified in late 2015 was a digitally signed brute-force server message block (SMB) scanner. The organization associated with this certificate is a South Korean mobile software developer. While we became initially curious because the hacktool was signed, we became more suspicious when we realized a mobile software developer had signed it, since this is not the type of software typically associated with a mobile application. Based on this discovery, we began to look for other binaries signed with the South Korean mobile software developer’s certificate. This led to the discovery of three additional hacktools also signed using this certificate. In addition to being signed with a stolen certificate, the identified hacktools had been used in suspicious activity against a US-based health Figure 2. Map showing the central districts of Seoul, where the companies with the stolen certificates are located (Map data © 2016 SK planet) While we do not know the exact circumstances of how the certificates were stolen, the most likely scenario was that the companies were breached with malware that had the ability to search for and extract certificates from within the organization. We have seen this capability built into a wide range of threats for a number of years now. provider operating in India. This evidence indicates that the certificate’s rightful owner either misused it or it had been stolen from them. Symantec worked with the certificate owner to confirm that the hacktool was not associated with them. 3 I DigiCert, Inc The organizations who owned the stolen certificates were The first sighting of three of the nine stolen certificates from four industries (see Figure 3). being used maliciously occurred in early 2014. Those three certificates were the only ones used in 2014, making it likely that the other six were not compromised until 2015. All nine certificates were used maliciously in 2015. Based on the data in Figure 4, the first certificates used belonged to Company A (educational software developer) and Company B (video game developer #2). Company A’s certificate was used for over a year, from April 2014 until June 2015 and Company B’s certificate was used for almost a year, from July 2014 until June 2015. When we discovered this activity, neither company was aware that their certificates had been stolen or how they were being used. Figure 3. Owners of stolen certificates, by industry A timeline of misuse We don’t know the exact date Suckfly stole the certificates from the South Korean organizations. However, by analyzing the dates when we first saw the certificates paired with hacktools or malware, we can gain insight into when the certificates may have been stolen. Figure 4 details how many times each stolen certificate was used in a given month. Since the companies were unaware of the activity, neither stolen certificate had been revoked. When a certificate is revoked, the computer displays a window explaining that the certificate cannot be verified and should not be trusted before asking the user if they want to continue with the installation. Signed, sealed, and delivered As noted earlier, the stolen certificates identified in this investigation were used to sign both hacking tools and malware. Further analysis of the malware identified what looks like a custom back door. We believe Suckfly specifically developed the back door for use in cyberespionage campaigns, this threat was identified as Backdoor.Nidiran. Analysis of Nidiran samples determined that the back door had been updated three times since early 2014, which fits the timeline outlined in Figure 4. The modifications were minor and likely performed to add capabilities and avoid detection. While the malware is custom, it only provides the Figure 4. Tracking Suckfly’s use of stolen certificates, by month attackers with standard back door capabilities. 4 I DigiCert, Inc
