The APT (advanced persistent threat) group identified as ‘Bronze Starlight’ was found targeting the Southeast Asian gambling sector with malware, which was authenticated using a genuine certificate of the Ivacy VPN service provider.

The significant advantage of using a valid certificate is to seamlessly navigate through security protocols, preventing system alerts, and seamlessly integrating with authorized software and traffic.

SentinelLabs, responsible for evaluating the campaign, stated that the certificate is the property of PMG PTE LTD, a Singapore-based distributor of the ‘Ivacy VPN’ product.

The cyber intrusions documented in March 2023 seem to be a continuation of the ‘Operation ChattyGoblin,’ as detailed in a report by ESET between Q4 2022 and Q1 2023.

Nevertheless, SentinelLabs highlighted the difficulty in pinning these to distinct clusters because of the prevalent tool sharing amongst various Chinese threat groups.

DLL Side-Loading

The offenses typically initiate by introducing .NET executable files (agentupdate_plugins.exe and AdventureQuest.exe) into the victim’s system, presumably through compromised chat applications. These files subsequently retrieve password-secured ZIP archives from Alibaba storage containers.

The malware instance, AdventureQuest.exe, was initially discovered by the MalwareHunterteam in May. Their analysis revealed that its code-signing certificate matched the one employed for legitimate Ivacy VPN setups.

Contained within these archives are vulnerable software versions, including Adobe Creative Cloud, Microsoft Edge, and McAfee VirusScan. These can be compromised via DLL hijacking. The Bronze Starlight culprits exploit these susceptible programs to embed Cobalt Strike trackers within the systems they target.

The archives have malicious DLLs (libcef.dll, msedge_elf.dll, LockDown.dll) packed with the genuine application executable files. When executed, Windows gives priority to these DLLs over the safer versions located in C:\Windows\System32, thus sanctioning the malicious code’s operation.

SentinelLabs remarked on the .NET executable’s geofencing limitation, which stops the malware from functioning in countries like the United States, Germany, France, India, Canada, or the United Kingdom.

Although these nations are not within the objective of this campaign and have been omitted to avoid detection, a flaw in the geofencing execution renders it ineffective.

Certificate Misuse

One noteworthy element of these attacks is the deployment of a code-signing certificate owned by PMG PTE LTD, the entity responsible for Ivacy VPN.

This very certificate is also employed to authenticate the official Ivacy VPN installer accessible via the VPN provider’s official site.

SentinelLabs speculates, “There’s a possibility that the PMG PTE LTD signing key was compromised – a common strategy employed by recognized Chinese threat entities to facilitate malware authentication.”

“The emphasis on VPN providers stems from their ability to provide threat entities with potential access to confidential user data and exchanges.”

With concerns rising about the extent of access the perpetrators might have had within the VPN provider, especially if the certificate was indeed compromised, PMG PTE LTD has remained silent, offering no public clarification on the issue.

DigiCert, addressing the situation, nullified the certificate in early June 2023, citing a breach of the “Baseline Requirements” guidelines.

Attempts to reach out to Ivacy concerning the exploited code-signing certificate by various outlets have remained unanswered.