FUD #CastleLoader being distributed via malvertizing.
785ba9c42deca8cfc69f1aafb371802782d01bc8156a67c5c0d412c5fb3b4e33

C2: astroflightvision[.]com

The signer, "Soft Insanity Oy" led us to find other FUD malware from November.
1/3

We didn't know how an actor was using EV Certificates issued to Lenovo and others.

We now do.

From DigiCert's incident report:
"the threat actor used a compromised analyst endpoint to access DigiCert's internal support portal. The threat actor used a limited function within the customer-support portal which allows authenticated DigiCert support analysts to access customer accounts from the customer's perspective to facilitate support tasks. The threat actor was able to use this function to access initialization codes for orders that were approved but pending delivery for EV Code Signing certificate orders across a finite set of customer accounts."

"Possession of the initialization code, combined with an approved order, is functionally sufficient to generate and retrieve the corresponding certificate."

The full report can be found here and explains the incident in great detail: https://bugzilla.mozilla.org/show_bug.cgi?id=2033170

The report mentions "Where we got lucky: A community member involved in security research reported the evolving pattern of misused certificates and engaged in dialogue with our support team. Without that report, the undetected compromise of ENDPOINT2 and the associated mis-issuance might have remained undiscovered for a longer period."

Special thanks goes to the regular contributors to the Cert Graveyard.

Also special thanks to DigiCert: this report has a high level of transparency, which is warranted, and also well executed.

CertGraveyard's PKI Lab is available now.

Want to better understand code-signing certificates? The site allows you to extract and view certificates.
The Cert Inspection tool parses out all of the bits and flags anomalies.
1/2