Code Stealing Certificates Stolen from D-Link and Used in Malware Campaign

The Advanced Persistent Threat (APT) group BlackTech has stolen code-signing certificates from D-Link and Changing Information Technology Inc., and is using them to cryptographically sign a remotely controlled backdoor known as Plead and an associated password stealer.

With the stolen certificates, individuals who receive the malware as email attachments are likely to be fooled into thinking the files are genuine and have been developed by trusted companies. If the executables are run, the malware will be installed giving the attackers full control of an infected device and the ability to steal passwords stored in Google Chrome, Internet Explorer, Outlook and Firefox.

The malware campaign was discovered by researchers at ESET who noticed several suspicious files being distributed that had been signed with valid D-Link certificates – the same certificates that have been used to sign genuine D-Link software.

D-Link, the Taiwanese manufacturer of routers and cameras, recently confirmed that valid code-signing certificates have been stolen. In its support announcement, D-Link said the two stolen sha1RSA code signing certificates were revoked on July 3. The company will be issuing firmware updates to correct the problem. The firmware is currently being developed and tested and customers with the mydlink mobile application will be notified as soon as the firmware is released.

The theft will only affect a small number of D-Link customers. The revocation of the certificates means that customers who view and configure their cameras within a web browser will be notified of the invalid certificate. Users of the mobile application will not be affected. Until the firmware update has been released, D-Link suggested users ignore the certificate revocation warnings.

Changing Information Technology Inc., also revoked its stolen certificates on July 4 and will be issuing firmware updates.

The BlackTech APT group is highly skilled and primarily conducts cyberattacks in East Asia. Investigations are underway to determine how the APT group obtained the certificates.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of