In order to avoid detection, attackers may generate a self-signed SSL/TLS certificate that impersonates an entity.

Malware/Threat actors

Name	Type	Years	Source
Group-IB	< threat actor/malware >	2016-2017	Group-IB_MoneyTaker_report.pdf Group-IB_Lazarus.pdf Anunak_APT_against_financial_institutions.pdf
Wild Neutron	threat actor	2013-2015	WildNeutron_Economic_espionage.pdf ICIT-Brief-Know-Your-Enemies-2.0.pdf
Copy Kittens	threat actor	2013-2017	Operation_Wilted_Tulip%20(1).pdf

Preventions

<Mitigation techniques>

Detections

• Monitor certificates being used in the environment and detect self-signed certs. Extract the commonname field from the certificate and compare the base domain to Alexa’s top million.
• Compare the SHA1 hash of the certificate to Abuse.sh’s SHA1 blacklist.

Toolkit

<Toolkit instructions, if applicable>

Similar techniques

• VPN tunneling
• Trusted third party
• Reverse RDP tunnel
• Domain spoofing
• ARP spoofing

References

• Abuse.ch SHA1 blacklist