Signed Malware

I recently saw a quote on Twitter along the lines of "I couldn't be in threat intel because I'd get too carried away, go too far, and end up calling some hacker's mom." I had to laugh since I can relate. It is easy to get carried away and you can find a lot of information very quickly just being curious. Usually it is not worth anything but sometimes it can be worth noticing. Here is one example:

I saw a few posts on Twitter about how the sandbox is now open for anybody to use for free (some features remain premium). Since I sometimes tackle malware reverse engineering, I took a look at the site to see if it would be worth using and looked at their recent uploads to see what kinds of data it would gather. One of the first files spotted appeared to be a Word document targeting German speakers with social engineering, if successful it downloads and drops a malware binary from hxxp:// (probably a hacked website of the Chinese Association of Greater Windsor or open FTP upload or something) with a hash of f47717a4ae920921b69e8fd590c7a6353be08cad3cfc1a438c490b38e248d3f7

This sample immediately stood out to me as a bit unusual since, while it is detected as malicious by many engines, it has a valid signature from "CN=Divisible Limited, O=Divisible Limited, STREET=27 Old Gloucester Street, L=London, ST=London, OID. 3AX, C=GB" granted on 02/11/2018 01:00:00 from the Comodo CA, Thumbprint 2AC3FC5CF301F56995C61D35C0EC87C9FB6B1DF3 Serial number e3bf8e6c81ec99c560841af128f130d. A comment on hybrid analysis claims it is a Retefe banking trojan sample. I did not reverse engineer it any further to validate that.

A quick google shows us the company named DIVISIBLE LIMITED from 31 Aug 2017 to 3 Nov 2017 changed names to DIVISABILL LIMITED; it's run by "SHEPLEY, Ben"; and is in the "Management of real estate" business along with an address of a mail forwarding business.

Now, if somebody has some kind of registration tying them to malicious activity, the obvious questions include: Is this a real person? Is it a bogus front? Could this person be responsible for the malicious activity? Could this person be hacked or impersonated?

A good sign of whether an online persona is legitimate is the depth of online presence. Realistic consistent online footprint going back a long time and covering many sites is unlikely to be a false front. So my next google was for Ben Shepley, who is also registered as owner of The front page says " Split the bills with your housemates" following the landlord/real estate management theme and pointing to Leeds in the UK. The same registrant also owns and and I found a Twitter account of a Ben Shepley living in Leeds, England who talks about his real estate portfolio. There's also a public Facebook profile for a Ben Shepley, using the same picture as the twitter, who works at "Framework Solution Ltd" and also mentions some personal background educational info and interests. Another page, using the same picture includes additional details such as "You can see photos of my properties here..." "Please get in touch if you would like to see any of my properties. I am available on [phone number]."

This significant web presence seems to confirm that Ben is a legitimate real estate entrepreneur who I'm assuming the malware authors have simply impersonated, but may have hacked. I emailed Ben mostly because if someone was signing malware in my name, I would want to know about it too; to see if he had any comment on how someone may have impersonated him; and also because I had to laugh at how bewildered a random guy getting a "digital bank robbers are using your identity" email would be. Unsurprisingly, I did not get any response. Per the Retefe gang have frequently obtained Apple developer certificates before as well. But I didn't see anybody talking about Windows certs or detailing how these certs were obtained.

I thought it is worth pointing out because many application whitelisting product configurations simply accept all signed binaries, and a signature can increase the apparent legitimacy of a sample to automatic machine learning classifiers or manual hunters. Signed binaries seem to be a common discussion point online these days as well. Next time you are looking for bad stuff in networks, keep in mind there are many malicious signed binaries in the wild.

Update (2018-03-12) Ben did reply to me, confirming the name of his business and that he did not purchase such a certificate. So rather than certificate theft, this appears to be a fraudulent initial registration.

  1. No comments yet.
(will not be published)