In a recent cyber threat campaign, data thieves have introduced a novel certificate abuse tactic, aiming to distribute information-stealing malware with a focus on acquiring sensitive data, including cryptocurrency from Windows systems.
Furthermore, this campaign utilizes search engine optimization (SEO) poisoning to manipulate search results, directing users to malicious webpages promoting illegal software cracks and downloads. These pages secretly deliver remote access Trojans (RATs) like LummaC2 and RecordBreaker (Raccoon Stealer V2). Notably, the malware employs abnormal certificates with lengthy strings that include non-English languages and special characters, making them challenging to detect and requiring specific tools for inspection.
The malware’s certificates have subject name and issuer name fields with long, non-standard strings, diverging from typical English character structures. The latest sample in circulation contains a URL-encoded malicious script designed to download and execute PowerShell commands from a specific address.
Although the observed sample was unsuccessful in downloading and executing, similar samples have been consistently distributed with slight variations for over two months, indicating a deliberate intent behind the campaign. Alongside delivery through websites promoting illegal software, this malware, specifically RaccoonStealer V2, is also distributed through platforms like YouTube.
While the certificate tactic is a unique approach and only partially successful thus far, users are cautioned to be aware of this method. The AhnLab researchers recommend Windows users exercise caution when downloading software online, especially from sources known for providing illegal versions of popular applications.
They have also provided indicators of compromise and a list of command-and-control domains linked to the delivery of LummaC2 and Raccoon Stealer V2, enhancing users’ ability to protect their systems.