There are bad guys now using a couple of files that seem signed with valid digital certificates that enable malware to get past antivirus.
When the main dropper executes, a .dll file and an .exe file end up dropped. The catch is the .dll file has a forged digital signature apparently from Kaspersky.
The executable – QQLive.exe – has a certificate from Chinese company Tencent Technology, better known as the creator of the popular QQ instant messaging service.
QQLive.exe is a legitimate application a user can download from the QQ website. The trick in this case is the role of QQLive.exe is to facilitate the loading of the malware’s core DLL.
“By itself, the file poses no risk, but when this QQLive.exe is used to load the .DLL, it becomes a catalyst for infection,” J. Gomez, a researcher at security firm FireEye.
Tencent said this isn’t the first time this has happened, but it has still failed to revoke the certificate used to sign the file.
Experts said the cybercriminals are using a QQ component because it’s not unusual for the software to be present on computers, considering the instant messaging platform sees use by well over 600 million users.
While in this particular case, the malware authors haven’t used a digital certificate to sign their creation, it’s clear this technique can also be efficient to increase the risk level of the environments it infects.
“While digital signatures are supposed to help establish ‘trust’ and bolster security, an inconvenient truth is, in today’s threat environment, it’s getting more and more difficult to determine whom to actually trust,” Gomez said.