Researchers from a French company have discovered a new malicious activity that uses legitimate digital signature certificates for distribution.

https://harfanglab.io/insidethelab/hijackloader-abusing-genuine-certificates/

Overview of the infection chain

The malicious activity, discovered early in the month, aims to install a data-stealing program known as .

Also known as He, it first became known in the year month.

It spreads by downloading fake files under the guise of pirated software or movies.

The new version of the attack directs users to a fake CAPTCHA page, prompting them to enter and execute malicious commands to download an infected archive.

Three variants of malicious scripts have been observed since mid-month this year.

This includes scripts that use ";" and ";" to execute code and download malicious data from a remote server.

The archive downloaded by the victim contained legitimate executable files and loaded malicious ones.

Malicious files decrypt and execute encrypted data, aiming to download and initiate the second-stage information stealing program.

Since [month] [year], attackers have begun using signed binaries instead of [unspecified method] to evade antivirus detection.

Although it is not yet clear whether all certificates were stolen, experts believe that some of these certificates may have been generated by the attackers.

The certificate used to sign the malware has reportedly been revoked.

Recent reports also indicate an increase in targeted attacks, which allow infection through the use of a specific malware. This trojan spreads rapidly by creating multiple copies of itself and establishing a backdoor for remote access.

The use of legitimate digital signatures to distribute malware demonstrates that even traditional security methods can become effective tools in the hands of attackers.

This underscores the importance of continuous improvement in cybersecurity and maintaining vigilance against any suspicious activities, even if they appear harmless.