Chinese Malware Campaign Aided by Compromised Digital Certificate
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

Chinese Malware Campaign Aided by Compromised Digital Certificate

The Chinese hackers LuckyMouse used LeagSoft’s compromised digital certificate to sign its driver

Let’s talk about what can happen with a compromised digital certificate. Since March, Kaspersky Labs has been tracking a series of infections from a previously unknown Trojan that was being injected into LSASS.exe. The injection was done by a network filtering driver that was signed with a legitimate digital certificate belonging to the Chinese company ShenZhen LeagSoft Technology Co.

Kaspersky assesses, with a high level of confidence, that this campaign is being carried out by the Chinese hacker collective Lucky Mouse.

There’s a lot to untangle here, but this entire story serves as a fascinating reminder about private key security and what can happen with a compromised digital certificate. It’s also got a bit of a geopolitical slant and another group of curiously named hackers.

Let’s hash it out.

Using a Compromised Digital Certificate to Sign Malware

The lynchpin of this entire operation was a network filtering driver, NDISProxy. The driver itself seems to be derived from publicly available C source code including the Blackbone repository and an http-parser available on GitHub. The driver was then signed using a digital certificate, sometimes called a code signing certificate, issued by VeriSign to a Chinese company called LeagSoft, which rather ironically creates infosec software.

compromised digital certificate

It’s unclear how the hackers came into possession of the digital certificate, but what’s really meant by that is that they were able to compromise the private key. The idea behind Code Signing is that by applying a digital signature, the client can tell who created the software. If a legitimate company has its private key compromised, an attacker could use it to sign malware, which would then be trusted because it appears to come from a legitimate company.

You can see why that would be an issue.

And this is going to be an issue for LeagSoft, because while the compromised digital certificate expired in July, it was used to sign a lot of legitimate products, too.

Subject ShenZhen LeagSoft Technology Co.,Ltd.
Serial number 78 62 07 2d dc 75 9e 5f 6a 61 4b e9 b9 3b d5 21
Issuer VeriSign Class 3 Code Signing 2010 CA
Valid to 2018-07-19

Now LeagSoft is probably may need to wage some sort of customer confidence campaign. Case in point is the final sentence of Kaspersky’s threat report:

Please don’t consider all signed files as malicious.

That’s what the browser industry calls “user-hostile.” It asks the user to make a judgment call. Now, hopefully in LeagSoft’s case, this incident will fly under the radar and most people will have no reason to question its software’s legitimacy. But you can see the potential for this to hurt a business. And with internet filters like Microsoft SmartScreen that assign trust scores, there may be a penalty incurred.

Really, all of this boils down to private key security. This is what happens when your private key is compromised.

What Did the Signed Driver Do?

Without getting too granular, the driver injects a trojan into LSASS.exe, which is a process in Microsoft’s OS called Local Security Authority SubSystem Service. LSASS.exe handles user permissions for the system, doling out access tokens and dealing with user logins and passwords.

TrojanBasically, the driver does two things, first it decrypts the Remote Access Trojan (RAT) that is injected into the system, second it sets up lines of communication between the command server and the RAT. I’m giving you an extremely abridged version, the driver actually writes quite a few files, concatenates them and ensures that the control server has everything it needs in place to assume control over the system.

The malware can also propagate using the network login and user information contained in LSASS.exe. This allows it to reach systems that only have a LAN IP. NDISProxy uses an Earthworm SOCKS tunneler to connect them to the Command server.

Using this tool, attackers can make lateral movements and create SOCKS tunnels. The Trojan itself serves as an HTTPS-enabled Server, so that the Command server can communicate via the SOCKS tunnel with systems that don’t have an external IP address.

If none of that made sense to you, basically the Chinese hacker collective Lucky Mouse was using a digitally signed driver to infect computer systems with a Remote Access Trojan that allowed a command server to take over targeted computer systems and even networks.

compromised digital certificate

Who Is Lucky Mouse and What Is It Doing?

I’m not sure what the naming conventions are when it comes to hacker groups, but much like Russia’s Fancy Bear, Lucky Mouse has a colorful name that belies its conduct online. Per Kaspersky, the campaign that was aided in part by the compromised digital certificate targeted middle Asian government entities, specifically it was targeting one high-level meeting in particular.

Compromised Digital CertificateThis assumption is based on:

  • The use of the Earthworm tunneler, which is popular with Chinese hackers
  • One of the commands creates a tunnel to a previously identified Lucky Mouse control server
  • The choice of victims lines up with previous efforts by Lucky Mouse

Particularly, Lucky Mouse seems to have a keen interest in Central Asia and the political agenda of the Shanghai Cooperation Organization, which is a Eurasian alliance between China, Russia and several former Soviet states.

In June, Kaspersky reported a Lucky Mouse operation that injected scripts in the government website for an unnamed Central Asian country’s National Data Center

The cyber hackers, called Lucky Mouse, are said to have been a group trying to get user information. This group is also called by names such as Iron Tiger, Threat Group-3390, EmissaryPanda, and APT27. The cyber attacks started in 2017, Kaspersky says, adding that malicious scripts were infected into the official website to conduct the country-level waterholing campaign.

Personally, I’m partial to Emissary Panda, because I like the mental image it conjures. The more consequential name is APT 27. APT stands for Advanced Persistent Threat, which is incredibly apt. (I’m legitimately sorry for that pun.)

How Do You Know If You’ve Been Compromised?

Kaspersky provided the following hash values, IP addresses and file names so that you can make sure you’re not infected. Again, if you’re not in Asia, you probably don’t have anything to worry about, but we do have a number of customers that are in Asia, so we’ll provide these anyway.










Auxiliary Earthworm SOCKS Yunneler and Scanline Network Dcanner



Domains and IPs











Registry Keys and Values










As always, leave any comments or questions below!

Hashed Out by The SSL Store is the voice of record in the SSL/TLS industry.


Patrick Nohe

Patrick started his career as a beat reporter and columnist for the Miami Herald before moving into the cybersecurity industry a few years ago. Patrick covers encryption, hashing, browser UI/UX and general cyber security in a way that’s relatable for everyone.