Research by SentinelLabs has found that a group of Chinese hackers known as Bronze Starlight has been signing off malware targeting the Southeast Asian gambling industry with a valid certificate used by Ivacy VPN.
SecurityAffairs who publicised the issue claim by using Ivacy VPN’s certificate in this way, the hackers will find it easier to get their malware past security measures without provoking suspicion or a response, and so succeed in getting onto target devices.
However the issue itself was first raised by MalwareHunterTeam on X (formally Twitter) as far back as May 29th, 2023.
What have the Chinese hackers been up to?
Bronze Starlight’s cyber-attack, which has been analysed by SentinelLabs, were observed in March 2023 and are believed to be part of a more long-standing hack which has been dubbed Operation ChattyGoblin.
The assault commences by releasing .NET executables (most likely AdventureQuest.exe) onto the victim’s system, possibly through manipulated chat applications.
These executables then retrieve password-protected ZIP archives from Alibaba storage repositories using vulnerable software versions of programmes like Adobe Creative Cloud, Microsoft Edge, and McAfee VirusScan, which can be susceptible to DLL hijacking.
AdventureQuest.exe was initially discovered by cybersecurity expert MalwareHunterteam in May, and they observed that the certificate used was identical to the one used for legitimate Ivacy VPN installations.
Interestingly, SentinelLabs note that the executables identified use geo-restrictions to prevent the malware from executing in a range of Western countries, including the United States, Germany, France, Russia, India, Canada, and the United Kingdom.
There are two likely reasons for this. One is that these regions are not the targets of this particular hack, and the other is that avoiding these countries will have significantly decreased the chances of the hack being identified.
What is the role of Ivacy VPN?
While Ivacy VPN’s certificate is implicated in this hack, it doesn’t appear to mean that they, or their owners, are involved.
The certificate in question belongs to PMG PTE Ltd, the company behind Ivacy VPN. It is believed to be the same certificate used to sign the official Ivacy VPN installer linked to the VPN provider’s website.
But that doesn’t mean that they have handed it over willingly. Indeed, SentinelLabs states clearly that “it is likely that at some point the PMG PTE LTD signing key has been stolen – a familiar technique of known Chinese threat actors to enable malware signing.”
They also note that targeting VPN providers in this way is fairly commonplace. “VPN providers are critical targets since they enable threat actors to potentially gain access to sensitive user data and communications.”
However, for users of Ivacy VPN, the big question is, if these Chinese hackers managed to get hold of this key, what other information have they managed to acquire from Ivacy VPN?
While the certificate in question has now been revoked, this was done by DigiCert, not Ivacy VPN themselves.
Indeed, despite this issue being identified several months ago, to date, neither Ivacy VPN nor PMG PTE Ltd have issued any statement or responded to media enquiries put forward by BleepingComputer. For users, that is the most worrying thing of all.
The VPN sector thrives on openness, which builds trust in providers and users alike. When a provider stays quiet about something as serious as this, it is difficult to avoid the suspicion that there is something they want to hide.
Here at VPNCompare, we urge Ivacy VPN to come clean about this hack, what information was accessed, and how they have dealt with it.
Until they do, our advice to Ivacy VPN customers is that, if online security and privacy matter to you, you would be best to consider switching to a VPN provider that does not have a cloud like this hanging over them.
