‘Stolen Foxconn certs’ used for embedding Duqu 2.0 malware into Windows PC — The crafty super-sophisticated malware infiltrated Kaspersky Labs.
Reportedly, Duqu 2.0 software was taken on using legal digital certificates issued to the world’s leading Chinese electronics giant Fixconn. The list of Foxconn’s customers includes Dell, Microsoft, Google, Apple, Sony and BlackBerry. This code-signing was disclosed by Kaspersky Labs researchers while studying the Duqu 2.0 infection.
Duqu 2.0 stays in the computer’s memory without writing data on the disk. The malware is termed as an evolved form of the previous Duqu worm. Duqu Worm was a cyber-espionage toolkit that was discovered in 2011 and associated to the infamous Stuxnet worm.
Foxconn-signed code was trusted by Windows because the Chinese goliath’s certificate was supplied by a trusted certificate root called VeriSign. Therefore, the OS would happily run the 64-bit kernel-level Foxconn-signed Duqu 2.0 driver without setting out any alarms. This would allow the malware to spread and infect the entire machine.
Duqu’s masterminds are reckoned by Kaspersky Labs’ experts as those able to snatch copies of the security keys to different code-signing certificates through using a new one in every attack on an organization.
The FoxConn certificate used in this sample was most probably stolen.
According to the Russian security company, the leaking of Foxconn’s certificate undermines the increasing use of digital certificates as a dependable tool for verifying computer codes. Their whole point is to show that software hasn’t been tampered with and was developed by the vendor after signing the executable.
Foxconn and Verisign were informed by Kaspersky Labs regarding its findings prior to making it public with a blog post about the new twist in the Duqu 2.0 saga.
We reported previously Duqu 2.0 malware was used to hack Kaspersky. The attack was highly sophisticated and Israeli spies are the suspects.
[src src=”via” url=”http://www.wired.com/2015/06/foxconn-hack-kaspersky-duqu-2/”]Wired[/src]
[src src=”source” url=”https://securelist.com/blog/research/70641/the-duqu-2-0-persistence-module”]SecureList[/src]