Various cases of certificate abuse have been reported from time to time. But now, a new one is used Phishing technique for distributing malware.
Visitors to an infected domain see the following image:
The warning states that the site's security certificate is not up to date, but even though this is a domain owner issue, victims are called upon to install a “certificate update security" to move on.
The message is contained in an iframe and the content is loaded through one jquery.js script from a third-party command-and-control (C2) server, while the URL bar still holds the legitimate address domain, so that they don't understand users that something is wrong.
"The jquery.js script covers an iframe that is exactly the same size as the page," the researchers say. "As a result, instead of the original page, the user sees a seemingly authentic banner requesting the immediate installation of a certificate update."
If the victim presses the button to update, starts downloading a file, Certificate_Update_v02.2020.exe.
When installed, the executable file will deliver the victim one of two malware: Mokes or Buerak.
The Mokes is a macOS / Windows backdoor malware, considered "sophisticated", as it can execute malicious code, extract screenshots, steal information computer, such as archives, sounds and video, while using AES-256 encryption to cover its activities.
On the other hand, the Buerak is a Windows-based Trojan malware capable of executing code, violating procedures, stealing content and more.