After Sony’s data breach leaking millions passwords and security certificates in plain-text belonging to the company, attackers have reportedly been found utilizing Sony’s signed security certificate in pieces of malware.
Security researchers at Kaspersky lab identified a new piece of malware dubbed, ‘Destrover,’ which was found compiled December 5th using Sony’s security certificate with the functionality to infect a number of Windows machines.
Due to Sony’s corporate size, the company’s security certificates is trusted by default by a number of security products, meaning machines have a higher probability of becoming infected without notice of detection. Online virus scanner Virustotal named only 38 / 56 anti-virus solutions to catch the malware. Leaving the malware at a staggering 65% chance of detection.
“We’ve seen attackers leverage trusted certificates in the past, as a means of bypassing whitelisting software,” researchers wrote in a post.
Kaspersky is not clear on the entirety of Destover and its capabilities, but found it reports back to a number of command-and-control servers relaying information.
Sony has been dealing with a massive hack attack since last week, hackers took over the Sony Pictures corporate network forcing it offline. During the time of attack, hackers stole millions of documents and terabytes of data which they have begun leaking, believed to be in retaliation to Sony Pictures movie, The Interview among numerous other expressed issues.
“In all three cases: Shamoon, DarkSeoul and Destover, the groups claiming credit for their destructive impact across entire large networks had no history or real identity of their own,” Kaspersky Lab’s GReAT Team member, Kurt Baumgartner, said in a blog post. “All attempted to disappear following their act, did not make clear statements but did make bizarre and roundabout accusations of criminal conduct, and instigated their destructive acts immediately after a politically-charged event that was suggested as having been at the heart of the matter.”
Kaspersky researchers have been investigating the malware since its release, noting hackers may leverage the stolen Sony certificate among other malware operations.
“The stolen Sony certificates (which were also leaked by the attackers) can be used to sign other malicious samples. In turn, these can be further used in other attacks. Because the Sony digital certificates are trusted by security solutions, this makes attacks more effective,” Kaspersky researchers wrote in their detailed research on the Destrover malware.