Posted on August 21, 2023 at 6:57 AM
A Chinese hacker group, Bronze Starlight, has launched a hacking campaign against the Southeast Asian gambling industry. The hacker group has used a valid certificate to launch this malicious campaign while also using the Ivacy Virtual Private Network (VPN).
Bronze Starlight hacker group linked to a recent campaign
The activities of this hacker group were revealed in research by SentinelLabs. According to reports, the exploit of the Ivacy VPN certificate in this manner makes it easier for hackers to have their malware bypass any security measures in place.
The activities of this hacker group can go on without raising suspicion or eliciting a response from any security systems on the target’s device. The cybersecurity teams at MalwareHunterTeam on X, formerly known as Twitter, initially raised the threat posed by this malware. The issue dates back to May 29, 2023.
The cyberattack was attributed to the Bronze Starlight hacker group, with the issue also being analyzed by SentinelLabs. The cyberattack was first detected on March 2023, with the hacking campaign believed to be part of an ongoing hacking campaign known as Operation ChattyGoblin.
This hacking campaign usually starts with the threat actor releasing .NET executables, likely AdventureQuest.exe. These executables are sent to the victim’s system using manipulated chat applications.
The executables will later retrieve password-protected ZIP archives from the Alibaba storage repositories. This is done through vulnerable software versions of programs such as Adobe Creative Cloud, McAfee VirusScan, and Microsoft Edge. These programs are usually vulnerable to DLL hijacking.
AdventureQuest.exe was initially detected by a cybersecurity team called MalwareHunterTeam in May. At the time, the research team noted that the certificate used in the campaign was similar to the one used to support legitimate Ivacy VPN installations.
The research by SentinelLabs also said that the executables detected by the hackers identified the use of geo-restrictions to ensure the malware is not executed across a wide range of Western countries like Germany, France, the United States, Canada, India, Russia, and the United Kingdom.
One of the reasons why the hackers avoided Western countries was that they were likely not the intended target. Avoiding the countries is also expected to lower the chances of the hack being detected.
Role of Ivacy VPN
The Ivacy VPN certificate was implemented in this hacking campaign. However, the developers behind the malware might have been unaware of the hacking campaign. The certificate is owned by PMG PTE Ltd, which is behind the Ivacy VPN.
According to researchers, the same certificate was used in signing the official Ivacy VPN installer associated with the website of the VPN provider. However, it does not show that the company willingly handed this certificate to the hackers.
SentinelLabs also said that it was likely that PMG PTE LTD signing keys were stolen at some point. The theft of these keys was a familiar technique by Chinese hackers to support malware signing.
According to researchers, targeting VPN providers in this manner was quite popular. VPN providers are usually the targets as they support threat actors to obtain access to sensitive user data and communications. The hacking campaign now poses issues for those using the Ivacy VPN, as the hackers might have accessed more information from their accounts.
DigiCert has since revoked the compromised certificate, not by the Ivacy VPN team. Despite the issue being detected a few months ago, neither Ivacy VPN nor PMG PTE Ltd have released a statement or responded to the questions raised by publications to understand more about the hacking campaign and how it happened.
However, the issue raised concerns about the VPN sector, whose existence seeks to boost trust in users and providers. Whenever a VPN provider fails to address a problem, it raises questions over whether they were aware of the hacking campaign and whether the hackers accessed sensitive data.
Given the nature of this hacking exploits, Ivacy VPN must clarify the nature of the campaign. The VPN provider should also give customers details on the information that might have been accessed and how they addressed the issue.
Until these hackers address the matter, Ivacy VPN customers are advised to maintain their privacy and security. It is also essential that users use a VPN provider that is transparent and open to ensure that their online privacy is maintained.