LuckyMouse uses legitimate certificate to sign malware

Read time 2min 30sec
LuckyMouse strikes again.
LuckyMouse strikes again.

Researchers at Kaspersky Lab have uncovered several infections from a previously unknown Trojan, which they say is probably related to the notorious Chinese-speaking threat actor group known as 'LuckyMouse'.

The malware has an unusual characteristic: a hand-picked driver, signed with a legitimate digital certificate that was issued by a company that develops information security-related software.

LuckyMouse has become infamous for highly targeted cyber attacks on large organisations around the world. Its activities are endangering an entire region, including south eastern and central Asia, as its attacks appear to be politically motivated, says Kaspersky.

Judging by victim profiles and the group's previous attack vectors, researchers think the Trojan they have detected might have been used for nation-state backed cyber-espionage.

Stolen digital certificate

The Trojan infected a target computer via a driver built by the malware authors. This enabled the criminals to execute all common tasks such as command execution, downloading and uploading files, and intercepting network traffic.

According to Kaspersky, the driver has revealed itself to be the most interesting part of this campaign. To make it appear legitimate, and help it evade security solutions, the group apparently stole a digital certificate and used it to sign malware samples.

"Another noteworthy feature of the driver is that, despite LuckyMouse's ability to create its own malicious software, the software used in the attack appeared to be a combination of publicly available code samples from the public repositories and custom malware. Such simple adoption of a ready-to-use third-party code, instead of writing original code, saves developers time and makes attribution more difficult," the researchers say.

Denis Legezo, security researcher at Kaspersky Lab, says whenever a new LuckyMouse campaign rears its head, it's almost always around the same time as the lead-up to a high-profile political event, often preceding world leader summits.

"The actor isn't too worried about attribution; because they are now implementing third-party code samples into their programs, it's not time-consuming for them to add another layer to their droppers or to develop a modification for the malware and still remain untraced," he adds.

Don't trust the code

Kaspersky advises users to not automatically trust the code running on their systems. "Digital certificates do not guarantee the absence of backdoors."

In addition, the company says to use a robust security solution, equipped with malicious-behaviour detection technologies that enable even previously unknown threats to be caught.

Finally, it suggests subscribing the organisation's security team to a high-quality threat intelligence reporting service in order to get early access to information on the most recent developments in the tactics, techniques and procedures of sophisticated threat actors.

Login with