Duqu 2.0 malware used stolen certificate from Foxconn

The advanced malware that hit security company Kaspersky Labs this year, and which the company refers to as Duqu 2.0, used a stolen digital certificate from Foxconn in the infection.

Kaspersky has published more details about the operation of Duqu 2.0, the sophisticated malware with which the company was found to be infected. The IT infrastructure of hotels where Western countries conducted diplomatic negotiations with Iran was also affected, making it thought to be an espionage tool for state hackers.

The 64bit driver that Duqu 2.0 used for the stealth installation used a valid digital certificate signed by Hon Hai Precision Industry in February 2015. A valid certificate is required for drivers on the 64-bit versions of Windows. Hon Hai is the company that makes hardware under the name Foxconn for many large computer, tablet and smartphone manufacturers such as Apple, Microsoft, Dell and HP. Previously, Duqu 2.0-related malware used Stuxnet and Duqu 1.0 certificates from Taiwanese companies Jmicron and Realtek for infections.

Kaspersky notes that the attackers have so far not used certificates twice, raising fears that they have enough alternatives. Digital certificates are used as signatures to confirm the authenticity of software, and their theft and misuse undermines trust in the authentication method.

The Duqu malware managed to ensure that drivers could nest on firewalls, gateways and servers that connected corporate networks to the Internet. After introducing a secret code word, ‘romanian.antihacker’, the drivers were able to route remote desktop and smb traffic and make it look like https traffic. Duqu 2.0 also made use of port 47012, of which no previous examples are known at Kaspersky.