- Chinese APT group Bronze Starlight uses stolen Ivacy VPN certificate to sign malware for the Southeast Asian gambling sector.
- Stolen certificate makes malware appear legitimate, bypassing security and blending in with regular software.
- Attacks began in March 2023, linked to earlier Operation ChattyGoblin discovered in 2022.
- Bronze Starlight, known for political campaigns, deploys malware via chat apps and fake software versions.
- Malware targets vulnerable software, and avoids execution in some Western countries; DigiCert revoked certificate; no statements from PMG PTE LTD or Ivacy VPN.
SentinelLabs researchers have discovered that a Chinese APT group known as Bronze Starlight has been signing off malware with a valid certificate. This certificate is used by Ivacy VPN, and the hackers’ target is the gambling industry in Southeast Asia.
Using this technique, hackers can ensure that malware bypasses all security measures without raising suspicion and invades target devices. It can also easily blend into legitimate software traffic.
It is worth noting that the issue was first reported by MalwareHunterTeam on X (previously known as Twitter) on 29 May 2023 and later analyzed by SentinelLabs. According to researchers, this stolen certificate belongs to Singapore-based VPN vendor PMG PTE LTD, the developer of Ivacy VPN.
In SentinelLabs’ blog post authored by Aleksandar Milenkoski, the first wave of attacks was observed in March 2023; however, it could be a continuation of an already ongoing hacking campaign dubbed Operation ChattyGoblin (discovered by ESET in late 2022).
Bronze Starlight (aka DEV-0401 and SLIME34) is a Chinese ransomware group that mostly runs espionage and politically motivated campaigns instead of financially motivated ones. The group’s primary weapon is ransomware, including LockFile, LockBit 2.0, NightSky, AtomSilo, Pandora etc, as reported previously by SecureWorks and Microsoft.
The attack starts with delivering .NET executables such as AdventuresQuest.exe onto the targeted device through compromised chat applications. This particular file was first observed by MalwareHunterTeam’s cybersecurity expert, and they later reported it on X.
Per MalwareHunterTeam’s observation, the certificate used in this attack was similar to the one used in authentic Ivacy VPN installations.
"PMG PTE. LTD." signed "AdventureQuest.exe": 43fb2d2e7596bed395bba6e012d0ee13ed61856cd63db47bf94160881d3e3ac7— MalwareHunterTeam (@malwrhunterteam) May 29, 2023
The executables then retrieve password-protected ZIP archives from Alibaba storage repositories through fake or infected versions of popular programs vulnerable to DLL hijacking, such as Microsoft Edge, Adobe Creative Cloud, and McAfee VirusScan.
Further research from SentinelLabs revealed that the executables used geo-restrictions for preventing malware from getting executed in certain, pre-defined Western countries, e.g., the USA, France, Germany, Russia, India, Canada, and the UK. This could be because the hackers are either not interested in targeting these regions or are deliberately avoiding them to raise the chances of this campaign’s success.
Researchers believe that the VPN vendor doesn’t seem involved in this hack even though Ivacy VPN’s certificate has been used, also available on the PMG PTE LTD website.
“It is likely that at some point the PMG PTE LTD signing key has been stolen – a familiar technique of known Chinese threat actors to enable malware signing.”Aleksandar Milenkoski – Senior Threat Researcher at SentinelLabs
This is a common practice as VPNs frequently become targets of APT groups because of the trove of sensitive data and communications these may offer. It is unclear what kind of data Chinese hackers could be obtained through Ivacy VPN. For your information, the certificate has now been revoked by DigiCert.
Surprisingly, neither PMG PTE LTD nor Ivacy VPN has issued any official statement regarding this issue.