Skip to main content
banner image
venafi logo

Expired Certificate Warning—Outage or Malware Attack in Disguise?

Expired Certificate Warning—Outage or Malware Attack in Disguise?

expired certificate malware
March 17, 2020 | David Bisson

It’s bad enough when your website visitors receive an expired certificate warning that indicates a lapse in your security. But it’s even worse when these warnings actually harm visitors by allowing malware to download on their computers. Researchers spotted an attack campaign in which malicious actors used fake expired security certificate notifications to target users with malware.


Inside This Clever Attack Campaign

Kaspersky Lab discovered that those behind the campaign were using various infected websites to advance their malicious ends. Those websites ranged from a zoo to a vendor of auto parts, with the earliest compromises dating back to mid-January 2020.

On each infected website, the digital criminals inserted code that loaded the malicious jquery.js script “ldfidfa[.]pw/jquery.js?&up= &ts= &r= &u= &c=.” The script, in turn, loaded an iframe from https[:]//ldfidfa[.]pw//chrome.html and displayed the iframe’s content as an overlay with the exact same dimensions as the page—all except for the address bar, which still displayed the legitimate web address. Via this technique, attackers created the appearance of a security notification that urged users to update an expired security certificate.

A screenshot of the fake security certificate notification. (Source: Kaspersky Lab)

Security Certificate is out of date.

Detected a potential security risk and has not extended the transition to

Installing a security certificate may allow this connection to succeed.

Not surprisingly, nothing good happened when users decided to click on the “Install Recommended” button. As Kaspersky Lab noted in its research:

“Clicking the Install (Recommended) button on the banner initiates the download of the file Certificate_Update_v02.2020.exe, which we detect as Exploit.Win32.ShellCode.gen. Analysis of the file showed it to be Trojan-Downloader.Win32.Buerak, packed using Nullsoft Scriptable Install System. It is not the only malware distributed by the attackers. For example, Backdoor.Win32.Mokes was spread via the same campaign earlier in January.”

A Historical Look at Mokes

The Russian security firm first detected the Windows and Linux versions of the Mokes backdoor back in January 2016. Less than a year later, the company’s security tools came across the threat’s OS X variant “Backdoor.OSX.Mokes.a.”

All of these versions of the cross-platform backdoor were capable of executing arbitrary commands on a victim’s computer. Via these commands, Mokes could then proceed to steal various pieces of information from its victims including screenshots, audio and video files, Office documents and keystrokes. It then exfiltrated this data back to its command-and-control (C&C) server using AES-256-CBC encrypted communication.

Best Security Practices for Organizations

The campaign described above represents just the latest disguise employed by digital criminals to conceal their malware. In the past, some attack campaigns have used a fake browser update to prey upon users. Other operations have leveraged phony updates to Adobe Flash Player.

Acknowledging these efforts, organizations should make an effort to secure their domains against compromise. They can do this by creating a strong set of credentials to protect their domains against brute force attacks. As an added layer of protection, organizations should also activate MFA to safeguard their domains in the event that their credentials are compromised.

Pratik Selva, Senior Security Engineer at Venafi, suspects that the security community will see more of these types of attacks in the future. In light of this likelihood, Selva feels that organizations need to do even more to safeguard their websites:

“To minimize the risk of these kinds of incidents the site owners need to regularly patch any third-party web applications they use to remediate known vulnerabilities and regularly inspect their pages for any kind of unauthorized change or modification. They also need to be on the look-out for any kind of obfuscated JavaScript within webpages. Web users need to diligently patch all client applications. More technical users may also be able to inspect the source of a site page and report any instances of compromise to the site owner. Otherwise, even with widespread awareness of this type of campaign/attack, users are still at risk of being compromised.”

Do you know where all your machine identities are located and how they are being used?


Related posts


Like this blog? We think you will love this.
Featured Blog

Stop Certificate Outages from Increasing in Frequency and Severity

Machine identity management was a mess This company had experienced 2

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

David Bisson
David Bisson

David is a Contributing Editor at IBM Security Intelligence.David Bisson is a security journalist who works as Contributing Editor for IBM's Security Intelligence, Associate Editor for Tripwire and Contributing Writer for Gemalto, Venafi, Zix, Bora Design and others.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more