Trojan Dropper Uses Valid Certificate Issued For Swiss Company

ID THREATPOST:1C361B7B90E41377DF7B150DE6C9837D
Type threatpost
Reporter Brian Donohue
Modified 2013-04-17T20:05:36


A pair of trojan droppers affiliated with a pay-per-click scam are using valid digital signatures from a certificate that was issued for a Swiss company, according to a report on Securelist.

Between December 2011 and March 7, 2012, the Kaspersky Security Network has detected around 5,000 instances of the Mediyes trojan using a certificate issued to Conpavi AG, a Swiss company, according to a post by Kaspersky Lab researcher Vyacheslav Zakorzhevsky. The detections were predominantly in the Western European countries of Germany, Switzerland, Sweden, France, and Italy.

Conpavi conducts the majority of its business with the Swiss municipalities, cantons, and other government agencies. Kaspersky Lab has contacted Verisign, informed them about the threat, and asked them to revoke the certificate.

Mediyes is a dropper program – a kind of malicious program that acts like a pack mule: downloading and installing other programs, such as Trojan horse or remote access tools, on infected systems. Mediyes comes in both 32- and 64-bit varieties and is detected by Kaspersky Lab’s software as ‘Trojan-Dropper.Win32.Mediyes’ and ‘Trojan-Dropper.Win64.Mediyes’ respectively. Both variations inject a DLL into the browser that intercepts and redirects search queries as part of a pay-per-click advertising scheme.

This is not the first time that the CA system has been exploited for malicious purposes. A similar case popped up in November of last year when a piece of malware was found with a valid certificate signed by a Malaysian CA. The compromises at certificate authorities Comodo and DigiNotar also spurred calls within the security community for changes to the certificate authentication system.

This article was editied on March 15 to clarify that the certificate was issued for Conpavi AG, not by the company.