HQ/EMEAFind out how we can help your business
Two malicious threat groups, RedLine and Vidar, have exploited EV certificates to execute cybercriminal campaigns that use infostealers and ransomware strains. The operation includes deceiving victims into downloading malicious software with Extended Validation code signing certificates.
The initial cybercriminal operations using these methods have only deployed information-stealing malware, but the actors have now utilised it for ransomware attacks.
In addition, there are more than 30 distinct samples of malware that exploit the EV code certificates between July and August. These samples displayed signs that they came from an infostealer malware called TrojanSpy.Win32.VIDAR.SMA. These samples became very threatening to its targets since they have disguising capabilities that could effectively elude traditional detection methods.
The RedLine and Vidar threat groups could have acquired security tokens and signed certificates.
Some researchers claimed that the RedLine and Vidar operators might have obtained physical tokens or unauthenticated access to the compromised servers they infected through signed EV certificates.
The victims initially encountered information stealers through numerous campaigns that started a few months ago. However, the threat escalated last month after a ransomware attack. The attackers allegedly utilised specially crafted emails that masquerade as a complaint from TripAdvisor.
These threat actors showed their sophistication after showing expertise in manipulating their victims. RedLine and Vidar operators commonly use spear-phishing emails that include persuasive language, often related to health and hotel concerns, to urge recipients into accessing it immediately.
Additionally, they use double file extensions, which are files that disguise as legitimate documents, such as PDFs or JPEGs, to conceal EXE files that run after opening. The attackers also complicate detection by launching LNK files that contain commands to execute the malicious payload.
Organisations should prioritise investing more in the cyber defence of their digital environment. Experts urge all users to configure and update their defences regularly to prevent or mitigate these attacks.
Proactivity is critical in combating these evolving threats since most threat actors use developing tactics to their advantage. Users should always be cautious, avoid downloads from untrusted sources, and upgrade their devices and networks through multi-layered security systems.
