Attackers who stole code-signing certificates from D-Link and Changing Information Technologies have used them to sign malicious software which steals passwords, ESET reported.
Modern operating systems rely on the signatures generated by these certificates to ensure that software comes from legitimate sources.
“Our analysis identified two different malware families that were misusing the stolen [D-Link] certificate – the Plead malware, a remotely-controlled backdoor, and a related password stealer component,” stated ESET.
“Recently, the JPCERT published a thorough analysis of the Plead backdoor, which, according to Trend Micro, is used by the cyber-espionage group BlackTech.”
ESET said it notified D-Link of the issue, which conducted an investigation and revoked the certificate on 3 July 2018.
Changing Information Technologies revoked its compromised certificate on 4 July 2018, but the attackers were still using it to sign their malware.
According to ESET, the malware collects saved passwords from Google Chrome, Microsoft Internet Explorer, Microsoft Outlook, and Mozilla Firefox.