Certificate Authorities (CAs) distribute their SSL/TLS security certificates online by encrypting communications between browsers and servers. That is especially important for domains that work with e-commerce in mind, also identifying validation, which helps build trust in a domain's security.
A new method of phishing appears
Even though there are cases of certificate fraud or misuse out there, cybercriminals most often pose as executives trying to obtain security certificates, signing off fraudulent domains. A new phishing approach is now being used to abuse the certificate trust system.
Kaspersky cybersecurity researchers found out the new technique was spotted on various websites, ranging from stores selling vehicle parts to a zoo. The earliest infections they spotted were dating back to January 16, 2020.
Visitors to one of these domains compromised by the campaign the attackers are working on were being met with a screen warning them the security certificate is out of date. Instead of the usual approach, when the domain owner needs to update that, the users are being prompted to install a fake security certificate update to proceed to the website proper. These may be used to further the cybercriminals' goals as their campaign continues, with exfiltrating information from infected machines to selling the data on the dark web.
How does the phishing campaign work in technical terms?
The message is actually within an iframe; the contents are loaded through a jquery.js script from the third party command-and-control server. Said server keeps in contact with the infected machines. The URL bar still keeps the legitimate domain's original address, making the phishing attempt seem more authentic.
The jquery.js script overlays the iframe that is the precise size of the page, according to the researchers. Instead of the original page underneath, the users see a genuine-looking banner that asks them to install the fake certificate.
If the victim clicks the update button, a download initiates, specifically Certificate_Update_v02.2020.exe. When it is unpacked and installed the downloaded executable delivers one of two malware variants:
Mokes, a Windows/Mac backdoor that may execute code, take screenshots and exfiltrate files, audio, video captures. It may also install a backdoor for added persistence, all the while using AES-256 encryption to hide its activities.
Buerak is a Windows Trojan capable of executing code and affecting running processes. It may also maintain persistence through the use of registry keys, steal content, and detect attempts at analysis and sandboxing.