Some of the malware that infected the corporate network of antivirus provider Kaspersky Lab concealed itself using digital certificates belonging to Foxconn, the electronics manufacturing giant and maker of the iPhone, Xbox, and other well-known products.
Hacker group used a “zero-day trampoline” to scale Kaspersky defenses.
Cryptographically generated credentials are required to install drivers on newer, 64-bit versions of Windows. Foxconn used one such certificate when installing several legitimate drivers on Dell laptop computers in 2013. Somehow, the attackers who infected the Kaspersky Lab network appropriated the digital seal and used it to sign their own malicious drivers. As Ars explained last week, the drivers were the sole part of the entire Duqu 2.0 malware platform that resided on local hard drives. These drivers were on Kaspersky firewalls, gateways, or other servers that had direct Internet access and were used to surreptitiously marshal sensitive information in and out of the Kaspersky network.
Not the first time
The Foxconn certificate is the third one used to sign malware that has been linked to the same advanced persistent threat (APT) attackers. The Stuxnet malware, which reportedly was developed by the US and Israel to sabotage Iran’s nuclear program, used a digital certificate from Realtek, a hardware manufacturer in the Asia Pacific region. A second driver from Jmicron, another hardware maker in the Asia Pacific, was used several years ago to sign Stuxnet-related malware developed by some of the same engineers. Like the previous two certificates, the one belonging to Foxconn had never been found signing any other malicious software.