Crooks are using a new phishing technique to trick victims into accepting the installation of a security certificate update and deliver malware.

Security experts from Kaspersky Lab discovered spotted a new attack technique used by crooks to distribute malware by tricking victims into installing a malicious “security certificate update” when they visit compromised websites.

We have already observed threat actors distributing malware masqueraded by legitimate software updates. The new technique differs from previous ones because visitors to infected websites are asked to install a software update because the security certificate had expired.

“ we recently discovered a new approach to this well-known method: visitors to infected sites were informed that some kind of security certificate had expired. Unsurprisingly, the update on offer was malicious.” reads the report published Kaspersky.

“We detected the infection on variously themed websites — from a zoo to a store selling auto parts. The earliest infections found date back to January 16, 2020.”

The attackers that are using this new technique compromised a variety of websites, ranging from a zoo to an e-store selling vehicle parts. The first infections employed in these attacks date back to January 16, 2020.

The compromised websites display a message claiming the website’s security certificate is expired and urge visitors to install a “security certificate update” to correctly view the content of the website.

The message is contained within an iframe and content is loaded via a ldfidfa [ . ] pw / jquery . js script from a third-party server.

While the script is loaded, the URL bar still displays the legitimate address.

“The jquery . js script overlays an iframe that is exactly the same size as the page,” continues the analysis. “As a result, instead of the original page, the user sees a seemingly genuine banner urgently prompting to install a certificate update.”

Once the victim clicked on the update button, a file is downloaded (Certificate_Update_v02.2020.exe).

The executable unpacks and installs one of two malware variants to the victim, tracked as Mokes and Buerak.

The Mokes backdoor allows hackers to execute arbitrary commands on the victim’s computer, it works on Linux, Windows and also OS X.

Buerak is a Windows-based Trojan that implements backdoor capabilities and anti-analysis techniques.

Kaspersky experts included in their analysis the Indicators of Compromise (IoCs).

Pierluigi Paganini

(SecurityAffairs – hacking, undersea cables)