Threat Actors Use a VPN’s Code Signing Certificate to Deploy Cobalt Strike Malware

A new discovery by security researchers revealed an espionage campaign targeting the Southeast Asian gambling industry. The campaign linked to China-aligned Bronze Starlight ransomware group was seen abusing software vulnerable to DLL hijacking like Adobe Creative Cloud, Microsoft Edge, and McAfee VirusScan.

According to SentinelLabs researchers, the group used these tools to deploy Cobalt Strike malware on targeted machines.

The attacks use malware loaders (agentupdate_plugins.exe and AdventureQuest.exe) to deploy .NET executables on targeted machines, which download data stored in password-protected zip archives from Alibaba buckets. The malicious DLLs are stored in the zip archives.

It was observed that the malware loaders employ a geofencing feature meant to stop execution if they find machines with IPs in the US, Germany, France, Russia, India, the UK, and Canada. However, due to errors in implementation, the feature does not work.

The actors also known as DEV-0401 or SLIME34 even use stolen code signing certificate given to Ivacy VPN provider, Singapore-based PMG PTE Ltd.  A common technique employed by Chinese APT groups as VNs help the hackers gain access to sensitive user information and communication.

The campaign is believed to be a part of the ChattyGoblin-related attack mentioned by ESET in its quarterly report. Way back in March 2023, this series of attacks were identified by ESET in which Chinese APT groups were seen using trojanized chat applications to target Southeast Asian gambling companies.

‘’We observed malware and infrastructure likely related to China-aligned activities targeting this sector. The malware and infrastructure we analyze are related to indicators observed in Operation ChattyGoblin and are likely part of the same activity cluster,’’ the report observed.

However, SentinelLabs states that despite seeing the techniques and tactics specific to Bronze Starlight, it’s difficult to attribute the campaign to this group. The report notes that there is widespread sharing of malware and infrastructure management processes between Chinese APT groups, thus making ‘’high confidence clustering difficult based on current visibility’’.