The attackers behind the recently disclosed Duqu 2.0 APT have used stolen digital certificates to help sneak their malware past security defenses, and one of the certificates used in the attacks was issued to Foxconn, the Chinese company that manufactures products for Apple, BlackBerry, Dell, and many other companies.
Researchers at Kaspersky Lab, who discovered the Duqu 2.0 campaign, said Monday that the certificate was used to sign a driver that the attackers employed as part of their technique to get malicious traffic in and out of compromised networks. Because the Duqu 2.0 malware doesn’t have a typical persistent mechanism, the attackers used a variety of methods for ensuring they could access target systems as needed. One of those techniques involves the attackers installing malicious drivers on network gear, including firewalls, and then using them to redirect traffic to a specific set of ports.
“The attackers created an unusual persistence module which they deploy on compromised networks. It serves a double function – it also supports a hidden C&C communication scheme. This organization-level persistence is achieved by a driver that is installed as a normal system service. On 64-bit systems, this implies a strict requirement for an Authenticode digital signature. We have seen two such persistence drivers deployed in the course of attacks,” an analysis from the Kaspersky researchers says.