The Chinese hackers LuckyMouse used LeagSoft’s compromised digital certificate to sign its driver
Let’s talk about what can happen with a compromised digital certificate. Since March, Kaspersky Labs has been tracking a series of infections from a previously unknown Trojan that was being injected into LSASS.exe. The injection was done by a network filtering driver that was signed with a legitimate digital certificate belonging to the Chinese company ShenZhen LeagSoft Technology Co.
Kaspersky assesses, with a high level of confidence, that this campaign is being carried out by the Chinese hacker collective Lucky Mouse.
There’s a lot to untangle here, but this entire story serves as a fascinating reminder about private key security and what can happen with a compromised digital certificate. It’s also got a bit of a geopolitical slant and another group of curiously named hackers.
Let’s hash it out.
Using a Compromised Digital Certificate to Sign Malware
The lynchpin of this entire operation was a network filtering driver, NDISProxy. The driver itself seems to be derived from publicly available C source code including the Blackbone repository and an http-parser available on GitHub. The driver was then signed using a digital certificate, sometimes called a code signing certificate, issued by VeriSign to a Chinese company called LeagSoft, which rather ironically creates infosec software.
It’s unclear how the hackers came into possession of the digital certificate, but what’s really meant by that is that they were able to compromise the private key. The idea behind Code Signing is that by applying a digital signature, the client can tell who created the software. If a legitimate company has its private key compromised, an attacker could use it to sign malware, which would then be trusted because it appears to come from a legitimate company.
You can see why that would be an issue.
And this is going to be an issue for LeagSoft, because while the compromised digital certificate expired in July, it was used to sign a lot of legitimate products, too.
|Subject||ShenZhen LeagSoft Technology Co.,Ltd.|
|Serial number||78 62 07 2d dc 75 9e 5f 6a 61 4b e9 b9 3b d5 21|
|Issuer||VeriSign Class 3 Code Signing 2010 CA|
Now LeagSoft is probably may need to wage some sort of customer confidence campaign. Case in point is the final sentence of Kaspersky’s threat report:
Please don’t consider all signed files as malicious.
That’s what the browser industry calls “user-hostile.” It asks the user to make a judgment call. Now, hopefully in LeagSoft’s case, this incident will fly under the radar and most people will have no reason to question its software’s legitimacy. But you can see the potential for this to hurt a business. And with internet filters like Microsoft SmartScreen that assign trust scores, there may be a penalty incurred.
Really, all of this boils down to private key security. This is what happens when your private key is compromised.
What did the signed driver do?
Without getting too granular, the driver injects a trojan into LSASS.exe, which is a process in Microsoft’s OS called Local Security Authority SubSystem Service. LSASS.exe handles user permissions for the system, doling out access tokens and dealing with user logins and passwords.
Basically, the driver does two things, first it decrypts the Remote Access Trojan (RAT) that is injected into the system, second it sets up lines of communication between the command server and the RAT. I’m giving you an extremely abridged version, the driver actually writes quite a few files, concatenates them and ensures that the control server has everything it needs in place to assume control over the system.
The malware can also propagate using the network login and user information contained in LSASS.exe. This allows it to reach systems that only have a LAN IP. NDISProxy uses an Earthworm SOCKS tunneler to connect them to the Command server.
Using this tool, attackers can make lateral movements and create SOCKS tunnels. The Trojan itself serves as an HTTPS-enabled Server, so that the Command server can communicate via the SOCKS tunnel with systems that don’t have an external IP address.
If none of that made sense to you, basically the Chinese hacker collective Lucky Mouse was using a digitally signed driver to infect computer systems with a Remote Access Trojan that allowed a command server to take over targeted computer systems and even networks.
Who is Lucky Mouse and what is it doing?
I’m not sure what the naming conventions are when it comes to hacker groups, but much like Russia’s Fancy Bear, Lucky Mouse has a colorful name that belies its conduct online. Per Kaspersky, the campaign that was aided in part by the compromised digital certificate targeted middle Asian government entities, specifically it was targeting one high-level meeting in particular.
This assumption is based on:
- The use of the Earthworm tunneler, which is popular with Chinese hackers
- One of the commands creates a tunnel to a previously identified Lucky Mouse control server
- The choice of victims lines up with previous efforts by Lucky Mouse
Particularly, Lucky Mouse seems to have a keen interest in Central Asia and the political agenda of the Shanghai Cooperation Organization, which is a Eurasian alliance between China, Russia and several former Soviet states.
In June, Kaspersky reported a Lucky Mouse operation that injected scripts in the government website for an unnamed Central Asian country’s National Data Center
The cyber hackers, called Lucky Mouse, are said to have been a group trying to get user information. This group is also called by names such as Iron Tiger, Threat Group-3390, EmissaryPanda, and APT27. The cyber attacks started in 2017, Kaspersky says, adding that malicious scripts were infected into the official website to conduct the country-level waterholing campaign.
Personally, I’m partial to Emissary Panda, because I like the mental image it conjures. The more consequential name is APT 27. APT stands for Advanced Persistent Threat, which is incredibly apt. (I’m legitimately sorry for that pun.)
How do you know if you’ve been compromised?
Kaspersky provided the following hash values, IP addresses and file names so that you can make sure you’re not infected. Again, if you’re not in Asia, you probably don’t have anything to worry about, but we do have a number of customers that are in Asia, so we’ll provide these anyway.
Auxiliary Earthworm SOCKS tunneler and Scanline network scanner
Domains and IPs
Registry keys and values
As always, leave any comments or questions below!