Phishing Campaigns: Combining EV Code Signing Certificates with Ransomware

In a chilling evolution of cybercriminal tactics, phishing campaigns have taken a sinister turn, now utilizing Extended Validation (EV) code signing certificates to facilitate the spread of ransomware. This alarming shift in strategy underscores the adaptability of threat actors, who are increasingly streamlining their operations and making their techniques multipurpose. Cybersecurity researchers recently shed light on this disturbing trend, shedding light on an alarming incident where threat actors harnessed EV code signing certificates to deliver information-stealing malware and ransomware through a single phishing campaign.

Ransomware Attack Using EV Code Signing Certificates

The modus operandi of these attacks begins with phishing emails bearing all-too-familiar lures designed to deceive unsuspecting victims into opening malicious attachments. These attachments initially appear benign, posing as innocuous PDF or JPG images; however, beneath this façade lurk executable files that, when activated, catalyze the compromise.

What sets these attacks apart is the use of EV code signing certificates to sign the initial payloads. Typically associated with trusted software, these EV code signing certificates lend an air of legitimacy to the malicious payloads, allowing them to bypass security measures more efficiently. Once inside the victim’s system, these payloads deliver info-stealing malware, extracting sensitive data and information.

However, the plot thickens as the exact delivery technique is employed to unleash ransomware and the EV code signing certificates upon the unsuspecting victim. Unlike the info-stealer samples, the files responsible for delivering the ransomware do not possess EV code signing certificates. Nonetheless, researchers believe both types of malware originate from the same threat actor, suggesting a division of labor within the cybercriminal ecosystem between payload providers and operators.

But the ominous narrative doesn’t end there. Another cybersecurity company, in a separate revelation, has uncovered new phishing campaigns featuring an upgraded malware loader called DBatLoader. This loader has a suite of capabilities, including user account control (UAC) bypass, persistence mechanisms, and process injection. These enhancements enable it to drop malicious programs onto compromised systems, ranging from Agent Tesla and Warzone RAT to FormBook and Remcos RAR.

The timeline of these attacks dates back to late June, with threat actors primarily targeting English-speaking victims. However, emails in Spanish and Turkish have also been identified, showcasing the global reach of these campaigns. What sets these attacks apart is the degree of control the threat actors exert over the email infrastructure, allowing them to easily navigate past SPF, DKIM, and DMARC email authentication methods.

Interestingly, a related revelation from a cybersecurity company has exposed a malicious advertising campaign targeting users searching for Cisco’s Webex video conferencing software on popular search engines like Google. This campaign redirects users to a counterfeit website hosting the BATLOADER malware. BATLOADER establishes contact with a remote server to download a second-stage encrypted payload called DanaBot. DanaBot, in turn, functions as both a stealer and keylogger malware, capable of exfiltrating sensitive data and providing remote access to compromised systems.

This campaign’s tracking template URLs as a filtering and redirection mechanism sets this campaign apart. These URLs help threat actors fingerprint and identify potential victims of interest. Visitors who don’t meet specific criteria, such as requests from sandboxed environments, are discreetly directed to the legitimate Webex site.

Alarming as it may be, the ads used in this campaign bear an uncanny resemblance to legitimate ones, luring unsuspecting users into visiting unsafe websites. Analysts warn that the type of software, like the EV code signing certificates, featured in these ads indicates a concerted effort by threat actors to target corporate victims. The objective is clear: the theft of credentials for further network penetration testing and, in some cases, the deployment of devastating ransomware attacks.

These developments underscore the need for heightened vigilance and robust cybersecurity measures in the ever-evolving landscape of cyber threats. Cybercriminals continue to innovate, and the fusion of phishing with EV code signing certificates represents yet another dangerous chapter in their playbook. Organizations and individuals must remain alert, keep their security protocols current, and be prepared to face this new breed of threats head-on. Phishing attacks are the most common methods threat actors use to harvest legitimate credentials.

SpearTip offers phishing training as mitigation to enhance skills related to defending against these threats. The exercise tests the discernment of companies’ teams, educates employees regarding common phishing tactics and indicators, and identifies related security gaps in their environments. Our team creates phishing email simulations like those threat actors use and sends them throughout the organizations. We provide insight and feedback to improve the cyber defenses of companies’ teams, leading to a profound decrease in the likelihood of being victimized by phishing scams. After the training, our team provides precise and thorough strategies to harden their environments and implement ongoing awareness training.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.