Skip Navigation
BlackBerry Blog

Digitally Signed Malware Targeting Gaming Companies

The Cylance SPEAR™ team has been working diligently to identify and track relationships between malware using stolen Authenticode code-signing certificates and common command and control (C2) infrastructure. The PassCV group continues to be one of the most successful and active threat groups that leverage a wide array of stolen Authenticode-signing certificates.

Snorre Fagerland of Blue Coat Systems first coined the term PassCV in a blog post. His post provides a good introduction to the group and covers some of the older infrastructure, stolen code-signing certificate reuse, and other connections associated with the PassCV malware. There are several clues alluding to the possibility that multiple groups may be utilizing the same stolen signing certificates, but at this time SPEAR believes the current attacks are more likely being perpetrated by a single group employing multiple publicly available Remote Administration Tools (RATs).

The PassCV group has been operating with continued success and has already started to expand their malware repertoire into different off-the-shelf RATs and custom code. SPEAR identified eighteen previously undisclosed stolen Authenticode certificates. These certificates were originally issued to companies and individuals scattered across China, Taiwan, Korea, Europe, the United States and Russia.

In this post we expand the usage of the term 'PassCV' to encompass the malware mentioned in the Blue Coat Systems report, as well as the APT group behind the larger C2 infrastructure and stolen Authenticode certificates. We’d like to share some of our findings as they pertain to the stolen certificates, command and control infrastructure, and some of the newer custom RATs they’ve begun development on.

PassCV Background

The PassCV group typically utilized publicly available RATs in addition to some custom code, which ultimately provided backdoor functionality to affected systems via phony resumes and curriculum vitae (CVs). PassCV continues to maintain a heavy reliance on obfuscated and signed versions of older RATs like ZxShell and Ghost RAT, which have remained a favorite of the wider Chinese criminal community since their initial public release.

SPEAR identified recent PassCV samples which implemented another commercial off-the-shelf (COTS) RAT called Netwire. This tool offers the attacker full control of the victim/host and is perhaps best known for its cross-platform compatibility, which includes support for Windows, Linux, OSX, and Solaris.

Overall, the antivirus (AV) industry has barely kept pace with the PassCV group, and although some samples and families are well detected, the majority of the signed samples continue to have extremely low detection rates.

SPEAR was able to identify several other distinct malware families that we believe to be related to the PassCV group based upon common stolen Authenticode certificates. The Kitkiot and Sabresac (also known as Saber or Excalibur based upon strings in the binaries) malware families were deployed by the group for distinct purposes.

Saber is a custom RAT that periodically queries a web-based C2 server for commands. The only active instances SPEAR was able to identify were hosted on the Chinese code development site 'csdn(dot)net'. Kitkiot variants are commonly installed alongside other types of malware and often included additional functionality, including:

  • Denial of Service (DoS) and Distributed Denial of Service (DDoS) capabilities
  • The ability to hijack and steal in-game account information and items from multiple online gaming platforms
  • In some rare cases these were used for click-through advertising fraud.

 

The Saber Family

The Saber malware utilizes a custom base64 alphabet for decoding messages from its C2 servers. The malware will decode an obfuscated string found on the site it has been programmed to contact. It will then communicate to the actual C2 for further instructions to execute. SPEAR only observed samples that employed clear-text communication between the victim and the actual C2. The malware accepts any windows shell command the attackers pass back via the C2.

To start the C2 process, Saber samples commonly used blogs on the Chinese-based information technology and development website ‘blog.csdn[dot]net’. The malware executes an HTTP GET request to one or more blog page(s). The malware then looks for the string format 'saberstart.<encoded_string>.saberend' in the response data once the link is retrieved. The data stored between the strings 'saberstart.' and '.saberend' is encoded with a custom Base64 alphabet which contains a follow-on C2 address and a port separated with an uppercase 'W'.

SPEAR developed the following Python snippet to aid in decoding the Saber C2 messages:

Fig1-PassCV-FIXED.jpgFigure 1: Python Script to Decode Saber C2 Messages

The exact URLs varied among samples, but SPEAR was able to identify the following C2 URLs:

URL: http://blog.csdn[dot]net/u013761036/article/details/45542243
Contained: saberstart.1QXO3Q1s3pfN3Qbu1/fN5pb/ahES+mEMaMSLcgSTjNIPch0PIz.saberend
Accessed: 814,896 times = Number of page visits at the time of writing
Decodes to: gotofindsocketsvcW118.123.19.9W25965#

URL: http://blog.csdn[dot]net//saber00001//article//details//50444103
Contained: saberstart.1QXO3Q1s3pfN3Qbu1/fN5pb/ahIN+mIOcgSR+mIMbo4MbhnSala.saberend
Accessed: 2,167,985 times = Number of page visits at the time of writing
Decodes to: gotofindsocketsvcW123.249.7.226W25982#

URL: http://blog.csdn[dot]net//saber00002//article//details//50444149
Contained: saberstart.1QXO3Q1s3pfN3Qbu1/fN5pb/ahIN+mIOcgSR+mIMbo4MbhnSala.saberend
Accessed: 1,257,722 times = Number of page visits at the time of writing
Decodes to: gotofindsocketsvcW123.249.7.226W25982#

URL: http://blog.csdn[dot]net//saber00003//article//details//50444185
Contained: saberstart.IQ5y5GXp2kTn4QXm2QjO4R1mjNEMaMSMbDnxcDExamAMjNIPch8PIz.saberend
Accessed: 474,514 times = Number of page visits at the time of writing
Decodes to: #gotofindsocketsvcW123.249.81.202W25985#

URL: http://blog.csdn[dot]net//saber00004//article//details//50444188
Contained: saberstart.IQ5y5GXp2kTn4QXm2QjO4R1mjNEMaMSMbDnxcDExamAMjNIPch8PIz.saberend
Accessed: 486,925 times = Number of page visits at the time of writing
Decodes to: #gotofindsocketsvcW123.249.81.202W25985#

URL: http://blog.csdn[dot]net//asdasdasdasddadasd//article//details//50443203
Contained: saberstart.1QXO3Q1s3pfN3Qbu1/fN5pb/ahES+mEMaMSLcgSTjNIPch0PIz.saberend
Accessed: 3,333,320 times = Number of page visits at the time of writing
Decodes to: gotofindsocketsvcW118.123.19.9W25965#'

URL: http://blog.csdn[dot]net//dasdmkdwovcs//article//details//50925619
Contained: saberstart.1QXO3Q1s3pfN3Qbu1/fN5pb/ahIN+mIOcgSR+mIMbo4MbhnSala.saberend
Accessed: 7,475,132 times = Number of page visits at the time of writing
Decodes to: gotofindsocketsvcW123.249.7.226W25982#

URL: http://blog.csdn[dot]net//u013761036/article/details/45542243
Contained: saberstart.1QXO3Q1s3pfN3Qbu1/fN5pb/ahES+mEMaMSLcgSTjNIPch0PIz.saberend
Accessed: 983,239 times = Number of page visits at the time of writing
Decodes to: gotofindsocketsvcW118.123.19.9W25965#

SPEAR was able to successfully emulate the remote C2 server, and during testing we were able to send and remotely execute any command on the (hypothetical) victim system.

Saber Relationships

While researching the Saber family we found a similar .PDB file path in several samples:

          "F:\\Excalibur\\Excalibur\\Excalibur\\bin\\oSaberSvc.pdb"
          "D:\\Excalibur\\Excalibur\\Excalibur\\bin\\oSaberSvc.pdb"
          "F:\\Excalibur\\Excalibur\\Excalibur\\bin\\Shell.pdb"

The malware author originally employed the username ‘Excalibur_C’ (similar to the .PDB file paths) when creating the C2 page:

          ‘http://blog.csdn[dot]net/u013761036/article/details/45542243’

This was the earliest post that SPEAR was able to identify that contained the encoded Saber commands, with a post date of 2015-05-06 22:20. The same author made numerous other programming related posts in addition to this page:

Fig3-PassCV.png

Figure 2: Excalibur Blog Posts

 Since the time we first started working on this write-up, the Saber author has presumably gained some additional attention and it seems the username and icon on the blog were changed as a result:

Fig4-PassCV.png

Figure 3: Excalibur's New Username

SPEAR also identified a newer variant during our investigation and subsequent write-up. The compile timestamp indicated that the sample was compiled on August 3, 2016. The newer variant leveraged two different domains:

          ‘d26yaxxlnmhaem(dot)cloudfront.net’
          ‘d1wmnlsnh8rftl(dot)cloudfront.net’

The variant also downloaded additional 7-Zip self-extracting archives that ultimately installed the Saber malware onto the infected system. Several other signed variants have also been distributed from the domain:

          ‘dhd29up7zcdyt(dot)cloudfront.net’

‘Cloudfront.net’ belongs to Amazon’s content delivery network, Amazon CloudFront. This recent move could indicate the attackers are looking for a more robust means of distribution to continue spreading their malware.

The Kitkiot family

Kitkiot malware has been publicly linked to the ‘dns-syn[dot]com’ domain which has direct ties to the group courtesy of Blue Coat Systems’ research. Kitkiot provides backdoor functionality and is commonly installed alongside other types of malware. It has previously been documented and used to perform DDoS attacks, function as a proxy server and perform click-through advertising fraud. We found numerous instances in which Kitkiot variants were written specifically to target online gaming platforms and modify values stored in databases and other online network communications.

Existing public information about this malware family is available via these links:

https://www.threatcrowd.org/listMalware.php?antivirus=Trojan.Kitkiot
http://www.virusradar.com/en/Win32_Kitkiot.A/description

Stolen Certificates and Relationships to PassCV

SPEAR identified roughly eighteen previously undisclosed stolen Authenticode certificates. Interestingly, not all of the certificates were stolen from game companies. It appeared the group had also started to branch out into signed adware. This may seem odd at first, but most security researchers are somewhat numb to the consistent barrage of so-called legitimately signed adware, so a more advanced backdoor signed with the same certificate could easily be overlooked.

The first new connection SPEAR identified was derived from an email address listed in Blue Coat Systems' original report on PassCV. The email address ‘13581641274(at)163.com’ which was used to register the domain ‘aresgame[dot]info’ was reused in 2015 to register the domains ‘fengzigame[dot]net’ and ‘roboscan[dot]net’. Both domains were designed to look like their legitimate counterparts, ‘fengzigame.com’ and ‘roboscan.com’.

SPEAR found several NetWire variants that communicated to subdomains off of the aforementioned domains, and identified another larger cluster of activity that was specifically targeted at game developers using similar variants. All of the variants communicated to domains that were extremely similar to other popular gaming framework websites, and contained code to harvest stored password information as well as log keystroke data.

The C2 domain ‘cocoss2d[dot]com’ mimicked the original website for the Cocos2d gaming framework, ‘http://cocos2d.org/’, used in popular mobile games such as Badland. The C2 domain ‘unitys3d[dot]com’ was designed to impersonate the website of the Unity engine, ‘https://unity3d.com/’, a gaming engine licensed across multiple gaming platforms and more recently in popular mobile games like Pokémon Go.

Many of the identified samples also contained a common unique mutex, ‘{332222A-33A3-2222-AAAA-3A22AA333}’, which allowed SPEAR to identify a number of additional compromised certificates.

One of the samples identified through this method was:

          95a33b0c5f2408adabbebeba6f4c618ba2b392f9dbcd1d9a9ff9db5a519380d8

This led to the discovery of another sample:

          ad2a42e4024a320ce763524e17ef7262add649651e2a277b5fc56a9bdc44e449

It was signed with a certificate belonging to AmazGame, a Beijing-based gaming company. The sample also contacted the domain ‘waw.css2[dot]com’, intended to mimic another domain related to the Cascading Style Sheets 2.0 specification:

Fig9-PassCV.png

Figure 4: Beijing AmazGame Certificate

          Issued to: Beijing AmazGame Age Internet Technology Co.
          Current Status:
Not time valid
          Valid From: 3/16/2012 1:00 AM 6/16/2015 12:59 AM
          Thumbprint: B585EA81A25908F25F39088B1FCC239EBF7088D8
          Serial Number: 22 CF 7D A7 B7 6F C5 C4 E7 72 25 CF A1 BD A4 97

This in turn led to the discovery of a similar binary via C2 crossover:

          78b588fa57b027cda856a05638b25454c59d1896670701f9a8177b8e0c39596d

It was signed with yet another stolen Authenticode certificate:
Fig10-PassCV.png

Figure 5: Syncopate Authenticode Certificate

Issued to: Syncopate LLC

Current Status: Valid

          Valid From: 9/24/2015 1:00 AM to 12/24/2017 12:59 AM
          Thumbprint: 59EE1A00910451130BB22E06DEB5DCAF1AFAA282
          Serial Number: 7E 12 57 33 28 AD F4 5B 6F 3E C3 41 E6 46 29 3A

 

Syncopate is a well-known Russian company that is best known as the developer and operator of the ‘GameNet’ platform. GameNet was first identified as being a likely victim of the Winnti group here, although no associated code-signing certificates were identified at that time. Similarly, in that same blog post ‘Zemi Interactive’ was also identified as being a likely victim from the same attacks. The evidence presented above strengthens the claim that the Winnti and PassCV groups are closely related.

During the course of this investigation, SPEAR also identified that NHN’s (Naver Corporation) code-signing certificates were compromised, but it appeared to be related to a substantially different attack set that SPEAR hopes to shed some light on in the near future.

Blue Coat Systems originally identified additional connections based upon domain registrant information with the email addresses ‘huise123(at)yahoo.com’ and ‘rebot(at)126.com’. It is possible that the original stolen code-signing certificates were shared among multiple groups and only more recently deployed by the attackers. However, SPEAR has not found any significant evidence to support this hypothesis.

SPEAR identified another sample:

          dff0fee3bef9fa2c9c08a6d2c5772e51c1d29522de19301fb389b310e481713f

It was signed using the Beijing AmazGame certificate. The sample beaconed back to the domain ‘task.dns-syn[dot]com’. ‘bot[dot]dns-syn[dot]com’ was previously documented in Blue Coat Systems’ write-up as being registered using the email address ‘rebot(at)126.com’. This email address was subsequently linked to the domain ‘timewalk[dot]me’, which was documented in other RATs associated with the Winnti group. 

This particular subdomain served a unique purpose, which was to provide additional tasking and to instruct the malware to target a specific online gaming platform. In the case of this particular sample, the targeted gaming platform was 'http://20012.com/'. After analysis of several other similar signed samples, SPEAR found they were all targeted at various individual online and mobile gaming platforms.

SPEAR was able to identify additional samples that utilized these stolen Authenticode certificates, which created an interesting pivot point and led to the discovery of several additional compromised certificates.

Conclusion

The PassCV group continues to be extremely effective in compromising both small and large game companies and surreptitiously using their code-signing certificates to infect an even larger swath of organizations. Since the last report, the group has significantly expanded its targets to include victims in the United States, Taiwan, China and Russia.

SPEAR researchers were surprised to find that a good portion of the old infrastructure exposed by Blue Coat Systems remains active to this day. However, it was also apparent that the attackers paid attention to the news, as they let several of the exposed domains lapse and registered extremely similar domains shortly thereafter. The overall operational security of the group has also improved and more recent domains were registered using private WHOIS services and other previously undisclosed email addresses.

Interestingly, most of the malicious binaries were countersigned, which allowed the expired certificates to continue to be valid long past their expiration date. SPEAR has time and time again observed that this particular “feature” of Microsoft Authenticode Certificates is easily and readily abused by malicious actors. Even some recent academic papers pointed out that the binary’s Authenticode certificate will continue to be valid if a malicious binary is time stamped (countersigned), validly signed and the certificate is subsequently revoked. SPEAR has not identified any samples related to the PassCV group that would support the author of the paper’s conclusion, but samples of this nature would indicate that Authenticode signing is indeed rather broken.

While the motivations of the attackers aren’t entirely clear, SPEAR believes that the attackers are most likely profiting financially in some way. This could include subverting the in-game economies of the companies they compromise, reselling the stolen code-signing certificates, offering malware signing services or by creating their own private VPN infrastructure from machines within the compromised organizations.

SPEAR identified one binary in particular that fueled this speculation:

          8748c19ec86011a77e313e0ea9dd9d0315eed274288585f3663f57e5b8960bdf

The binary was signed with the stolen code-signing certificate from Beijing ‘AmazGame’ and was named ‘Proxy.exe’. The file communicated with a website ‘www.proxy456(dot)com’, registered using the email-address ‘plus3k(at)gmail.com’. This email address was previously used to register the following C2 domains used by the PassCV group from 2012 to 2014:

‘1songjiang[dot]info’
‘dns-syn[dot]com’
‘0pengl[dot]com’
‘0penssl[dot]com’
‘2likui[dot]info’
‘3wusong[dot]info’

Proxy456 claims based on a rough translation to be “China’s first integrated cloud proxy software” and at first glance appears to be a semi-legitimate VPN provider. SPEAR also found anecdotal evidence to suggest that the in-game economies of several popular online Chinese gaming communities were being specifically targeted via unique Kitkiot variants.

Even though the motivations of the attackers aren’t entirely obvious, the PassCV group continues to be extremely effective at compromising small gaming companies and SPEAR believes it to be only a matter of time before they set their sights on larger organizations.

APPENDIX:


C2 Domains:
115game[.]com
1songjiang[.]info
3389[.]hk
360[.]0pengl[.]com
360antivirus[.]net
64[.]3389[.]hk
amd-support[.]com
auth[.]ncsoft[.]to
bak[.]timewalk[.]me
baidusecurity[.]net
blog[.]unitys3d[.]com
bot[.]1songjiang[.]info
bot[.]360antivirus[.]org
bot[.]duola123[.]com
bot[.]eggdomain[.]net
bot[.]fbi123[.]com
bot[.]fengzigame[.]net
bot[.]godaddydns[.]net
bot[.]ibmsupport[.]net
bot[.]itunesupdate[.]net
bot[.]jjevil[.]com
by[.]dns-syn[.]com
cloud[.]amd-support[.]com
cloud[.]dellassist[.]com
cloud[.]0pendns[.]org
dark[.]anonshell[.]com
dns[.]0pengl[.]com
dns[.]360antivirus[.]org
dns[.]eggdomain[.]net
dns[.]godaddydns[.]net
dns-syn[.]com
down[.]fengzigame[.]net
eggdomain[.]net
fengzigame[.]net
fk[.]duola123[.]com
free[.]amd-support[.]com
global[.]ncsoft[.]to
godaddydns[.]com
gzw[.]3389[.]hk
help[.]0pengl[.]com
hijack[.]css2[.]com
home[.]ibmsupports[.]com
ios[.]0pengl[.]com
intelrescue[.]com
itunesupdate[.]net
jj[.]aresgame[.]info
jj[.]duola123[.]com
jj[.]fbi123[.]com
kasperskyantivirus[.]net
kp[.]css2[.]com
kuizq[.]ddns[.]info
lin[.]0penssl[.]com
lin[.]0pengl[.]com
linux[.]unitys3d[.]com
linux[.]css2[.]com
linux[.]cocoss2d[.]com
ls[.]0pendns[.]org
m[.]css2[.]com
m[.]unitys3d[.]com
mzx[.]jjevil[.]com
new[.]dns-syn[.]com
news[.]0pengl[.]com
news[.]eggdomain[.]net
nokiadns[.]com
ns1[.]0pendns[.]org
ns1[.]amd-support[.]com
ns1[.]appledai1y[.]com
ns1[.]dellassist[.]com
ns1[.]nokiadns[.]com
ns2[.]0pendns[.]org
ns8[.]0pendns[.]org
ns9[.]amd-support[.]com
ns9[.]nokiadns[.]com
nss[.]aresgame[.]info
qqantivirus[.]com
rk[.]mtrue[.]com
rk[.]mtrue[.]net
roboscan[.]net
root[.]godaddydns[.]net
rus[.]css2[.]com
sale[.]ibmsupport[.]cc
sc[.]0pengl[.]com
sc[.]0penssl[.]com
sc.dellrescue[.]com
sc[.]dns-syn[.]com
ssl[.]0pengl[.]com
ssl[.]0penssl[.]com
support[.]godaddydns[.]cc
support[.]godaddydns[.]net
task[.]dns-syn[.]com
test[.]dellassist[.]com
udp[.]jjevil[.]com
udp[.]timewalk[.]me
up[.]roboscan[.]net
update[.]360antivirus[.]net
update[.]0pengl[.]com
update[.]fengzigame[.]net
update[.]nortonantivir[.]us
update[.]css2[.]com
update[.]qqantivirus[.]com
w[.]cocoss2d[.]com
waw[.]cocoss2d[.]com
waw[.]css2[.]com
waw[.]unitys3d[.]com
wsus[.]kasperskyantivirus[.]net
www[.]eggdns[.]com
www[.]iantivirus[.]us
yang[.]0pendns[.]org
zx[.]3389[.]hk
zx[.]css2[.]com
zx[.]duola123[.]com

Suspect Domains Based Upon Registrant:
360antivirus[.]org
appleitunes[.]net
ati-support[.]com
autozhaopin[.]net
cissylee[.]com
fcc8[.]com
fortinetantivirus[.]com
fulita[.]net
itunesupdate[.]org
itunesupdate[.]us
leshi[.]us
qqsecurity[.]net
www[.]proxy456[.]com - proxy provider
zilanhua[.]org

C2 IP Addresses:
101.55.33.106
101.55.64.183
101.55.64.209
101.55.64.246
101.55.64.248
101.79.124.251
101.79.124.254
103.24.152.18
103.25.9.191
103.25.9.193
103.25.9.194
103.25.9.195
103.25.9.200
103.25.9.202
103.25.9.240
103.25.9.241
103.25.9.242
103.25.9.244
103.28.46.79
103.56.102.9
104.199.139.211
106.10.64.250
113.10.168.162
113.30.123.254
113.30.70.209
113.30.70.216
113.30.70.238
113.30.70.254
113.30.103.103
115.23.172.113
116.31.99.65
118.123.19.9
118.123.229.22
118.130.152.246
119.63.38.210
121.156.56.114
121.54.169.39
122.226.186.28
122.49.105.16
123.1.178.39
123.249.7.226
123.249.81.202
14.29.50.66
150.242.210.149
150.242.210.15
150.242.210.160
150.242.210.161
150.242.210.187
150.242.210.195
175.126.40.21
180.210.43.134
182.161.100.3
182.237.3.60
182.252.230.254
183.60.106.205
183.86.194.10
183.86.194.16
183.86.194.42
183.86.194.92
183.86.211.134
183.86.218.167
183.86.218.169
183.86.218.170
184.168.221.40
184.168.221.64
184.168.221.86
192.225.226.74
192.74.232.8
192.74.237.164
199.15.116.59
199.15.116.61
199.83.51.25
202.153.193.90
210.209.116.62
210.4.223.134
211.39.141.23
211.44.42.53
218.234.76.75
219.135.56.175
222.186.58.117
23.252.164.156
23.252.164.238
27.255.64.94
42.121.131.17
45.114.9.206
45.125.13.227
45.125.13.247
58.64.203.13
61.36.11.112
69.56.214.232
98.126.107.249
98.126.193.223
98.126.91.205

Compromised Certificates and Associated Hashes



337 Technology Limited
Not time valid
Valid From: 5/28/2015
Valid to: 5/28/2016
Thumbprint: 99E30AB0B2DAB911190E7A8FA42D4669BE340574
Serial Number: 11 21 B9 67 F0 92 CB F1 92 34 F4 F1 8F 73 0F 4F 76 7B

          4769732228d757ee48547fbb27c74495437381f13924039c75c48993f85b930f
          6899f3db419b711739120e09320345815717ae79f8091768b1216a142648e54b


Beijing AmazGame Age Internet Technology Co.
Not time valid
Valid From: 3/16/2012
Valid to: 6/16/2015
Thumbprint: B585EA81A25908F25F39088B1FCC239EBF7088D8
Serial Number: 22 CF 7D A7 B7 6F C5 C4 E7 72 25 CF A1 BD A4 97

          27463bcb4301f0fdd95bc10bf67f9049e161a4e51425dac87949387c54c9167f
          46ca0e17d56b92f2833d59a337c7817b330565e5b09345a3e45be3087b13a3ba
          7a4852a81bd546297efb821398609004036aaf578ba7b1488cf98ffaa276cde1
          beb9ecc06e1e753224511a52ab36bf7144d2cbbf0d0fcfdb5962897a4c91d861
          da29ff774a0facd58bdfb3a45d12024bda401bba91f87077784b5b79251805c9
          73d3ae3798e4357e9a162911530f647dcb5f5e07aadad6c9e88a7237135daa56
          ad2a42e4024a320ce763524e17ef7262add649651e2a277b5fc56a9bdc44e449
          dff0fee3bef9fa2c9c08a6d2c5772e51c1d29522de19301fb389b310e481713f
          95a33b0c5f2408adabbebeba6f4c618ba2b392f9dbcd1d9a9ff9db5a519380d8


Beijing Heng Chi Ming Billion Technology Co. Ltd. (北京智明腾亿科技有限公司)
Status Valid
Valid From: 12/14/2015
Valid to: 12/14/2016
Thumbprint: A58B46E37CEBEB20F7948BD781CC1B07C3CB2914
Serial Number: 11 21 33 3A 0B 1E A5 C3 74 87 BE 5B 03 4C E7 E5 48 C2

          02922c5d994e81629d650be2a00507ec5ca221a501fe3827b5ed03b4d9f4fb70
          7581d381c073d2b67bf2b21f5878855183f9fddf935557021ee6d813b7dda802


Chencheng Cai
Status Valid
Valid From: 1/18/2016
Valid to: 1/18/2017
Thumbprint: B7EDE811E25D1CC7CD70DDC6FAF71C10E25E1D3E
Serial Number: 33 08 CE D5 C1 97 26 54 1B 19 6F 80 5A C5 0C D0

          e61e56b8f2666b9e605127b4fcc7dc23871c1ae25aa0a4ea23b48c9de35d5f55
          c93a654e21e61a7ae325447091d0f64de4504d35589f60aeb2502fdc54268d8d
          200ba936cd229cce4dc0b45a6ab78a5a3e84c5884d56adcc41c7fa7d5b9c831a


EMG Technology Limited
Not time valid
Valid From: 5/15/2015
Valid to: 6/21/2016
Thumbprint: 2CBA7A6D38646D2A2E13D3F27DEEA26A1FCAD0CB
Serial Number: 11 21 C4 FE 70 E9 86 B0 A0 9C EC A4 60 35 9F 98 E5 EE

          9edd5b765a6b4d8c3fb8b3998a7b289bfed23b22db68eb1ae30c5495d0d2677a
          ef393ea4f3e9ac177593470d84cd4ae6af496212c2a8a5c489e5d34b7e4e5c78


Flyingbird Technology Limited
Not time valid
Valid From: 5/28/2015
Valid to: 6/27/2016
Thumbprint: C3A5D1F89D899B00BA079BD6C943E1BE74D365F4
Serial Number: 11 21 BE 35 5D 77 92 09 D9 11 5C AB 4F 63 99 17 EB 72

          21566f5ff7d46cc9256dae8bc7e4c57f2b9261f95f6ad2ac921558582ea50dfb
          557647451b5727f7bb56fbf4f00bf29b103db0022b5dbd9741dbfab4bc1def97


Neoact Co.
Not time valid
Valid From: 6/2/2012
Valid to: 7/3/2013
Thumbprint: 8C0B204BB98942D5B750C2FC2258B152DCB1901F
Serial Number: 2B 6E F1 47 1D FC 04 ED 3C B6 42 AC 56 F1 39 E5

          0c7b952c64db7add5b8b50b1199fc7d82e9b6ac07193d9ec30e5b8d353b1f6d2

Neoact Co.
Not time valid
Valid From: 6/27/2013
Valid to: 7/28/2014
Thumbprint: 30413DED868E1F152B19F585EF2AE3667252203D
Serial Number: 27 A4 33 CA 2F E7 67 B6 5E B9 6E 43 04 C9 2E 53

          28c7575b2368a9b58d0d1bf22257c4811bd3c212bd606afc7e65904041c29ce1
          4672f4ebe2d93d52424a92298740994daf232b07e68c13ac88d80f5c64cbfea0
          58c39df99155017592abf60ec5a80a339f233bf1eb5dcf2ecf4a5b336cc56e58
          aded00e1dab93e15161dc14206d75eccfb4657c360e7e13b6101e00ef26e3399


NHN USA Inc.
Revoked
Valid From: 1:00 AM 11/3/2009
Valid to: 12:59 AM 10/29/2011
Thumbprint: 775141B89F48B71DADC19F13011A46E537E7029C
Serial Number: 2B 5A 38 31 57 EF C7 CD 26 17 EF 32 F0 A7 AC B9

          92479c7503393fc4b8dd7c5cd1d3479a182abca3cda21943279c68a8eef9c64b

Polk City Network Technology (Shanghai) Co. Ltd. (北京智明腾亿科技有限公司)
Status Valid
Valid From: 2/4/2015
Valid to: 4/5/2017
Thumbprint: D7D281D4ED737638911CD961E76A7CDD7BFF08B4
Serial Number: 7A 00 AC B7 70 08 A7 21 10 11 0E 0D 66 35 B9 7F

          475d1c2d36b2cf28b28b202ada78168e7482a98b42ff980bbb2f65c6483db5b4

Polypower Technology Co.
Status Valid
Valid From: 5/28/2015
Valid to: 6/27/2016
Thumbprint: 01ED0A76185E76575F8FCA667DA73AD290656E03
Serial Number: 11 21 A3 9E 97 47 48 62 3C A6 E3 E4 9A 8B AE B3 ED 3A

          24a9bfbff81615a42e42755711c8d04f359f3bf815fb338022edca860ff1908a
          8585342d297b4726900e8818817b14042e1a3da5a1497380572a64dcf6d4819c
          8944a4ac31b32402ec5c88c4b5645d87f749d3af37c362738f465a9f8e152058


Redduck Inc.
Not time valid
Valid From: 9/24/2013
Valid to: 9/25/2015
Thumbprint: AB879A0A6AF95247415092A5B7FA66B2944E12B9
Serial Number: 0F 66 84 2B 4F 9C 45 8B 72 13 6F 0A E9 69 24 B7

          009645c628e719fad2e280ef60bbd8e49bf057196ac09b3f70065f1ad2df9b78
          18e6c5968bbe7414278b4fd59ad9a4f1bf9a8a9956dde65f219e9810594381e0
          3810d95692613bb4f719d6af64230f9bd6ca7db3a004e089af92a07bed560c01
          52de57d6ea3174cf2463f5d32abc7c61d0f0d461c3d543e968a5c09ec0740ddc
          67cc48e342d6435792aae1b0576d5707ba4823e32d9ad51fc2ddb5655669b9cd
          7dc48bb29c2c9da5a6f60e304714cb2a9b93c735cc3a92522d9fd25799c9a6fa
          8736b2d7a73643f0763c74c9fbf50c0109adcabdc794f4973927e3cba4eca220
          96377dbd06a57e63e8b3c6b18c92beb2b2e87c9aa155ec11bc7f24ec1e5d7699
          b95f611c73c0176e5e8121b0300f4076c147b72115c6706c425a122ff10c10a4
          f9778c4e07642f5658285e64297c076877633a4bff9528827d0d3c2108259f72
          fb6e4912fca91d99a9747ad2c68ee82da60f787984fadf77aaab40dac7bed3eb
         1253e1778714a41b79662dbf9a353afd01a8e72097b3202cc207dd9896c6d7a6
          529adca3e873d5db03dc3c8c1ab184ed19135fbe0c8fde80429b7b0072ef41ad


Runewaker Entertainment
Not time valid
Valid From: 11/18/2011
Valid to: 11/18/2014
Thumbprint: 28F5F016604E99C77A444E796F501209F050FC32
Serial Number: 59 76 83 B6 8E F6 B0 C8 BE 2D 85 A2 12 B5 19 10

           03aafc5f468a84f7dd7d7d38f91ff17ef1ca044e5f5e8bbdfe589f5509b46ae5
          1ade09a1c54800787dc63d09b76f69fd2cca8b4bbb63c8c39c720628ea37471a
          1e8fe3ee0fffc8144c6252035c7f247bac129e7aa5c4537cf5e3f25531e04a67
          28123038d24ef74a396a2a88700f947bfa72cdddd6bc56524c113a529a3423cd
          2936ae7f7099c32e701c3b956a7eb7ef800bf5748122c883819c834ec61af44a
          2d0be850cc137540d163e9c035f4c99f27caa5bb8cdb1cea6182b5da49cff0f2
          5a723f65da58bdcfc639f557f490213ca8c5009db0ddde7fffef8d2bcf3966f5
          5d6986f440e89f4a309a62f9df8ea5989a8880229dc02b132dd1bb3d0e0083d1

          774efc29c19254714c986423aee968bfb03daf4ce79fddbef4ec3b4b5eee3f8f
          7eecb8af098ead93e9bf2d5a4e86ff3f172e94566d296f061971410036a22a0f
          830d48b2c6de780783e697346a6afe96c6e33654d85b71bb86627b88f09f298c
          916a2b4d9c6a5f4fd5333f4d165cb8ad1479253d8141b6087ed412f3a1b059c2
          9941fd97327d54a18209d0bb1f36992a18a3809aa8d163e7fe80193a4348610a
          a65ca7dbfdb15d88ba6d37a521e5dda768388ed9d48184859d71be3afb57de16
          ab65eebe0f96d3787893329992670ff97621c76e2d8c1be366c00429c944350b
          d6f3151ed4fb00b766cf70df678b932c616a122c6c9f2a62e33d4a103465f8af
          df013d3b048931a23dcc9db63e6b7d76dfc4373a3f41a274744179b6546e4cd1
          fb1ab5a92af54263f1dd6bdf5657ac0c4b52d9639acecb4b339a82c5650b9a6f
          e7a721682ff2b00c00da50a51c87e9bc7cb93292e4cf42bb04185c3392fdec41


Syncopate LLC
Status Valid
Valid From: 9/24/2015
Valid to 12/24/2017
Thumbprint: 59EE1A00910451130BB22E06DEB5DCAF1AFAA282
Serial Number: 7E 12 57 33 28 AD F4 5B 6F 3E C3 41 E6 46 29 3A

          0cf6d9a5aa3b390f97f20b2fbd2cd9df76c5bb018c997c26d2e16eb44127c624
          2d752e8a6e42d4b1d14e4400cccb5f1bda3dccd1264d09f4bb2fefb6b6f5048a
          48f8c31530d621de0cb401fb32c282eecc91bdac602aac9bd4ddbe8c6a6ceb39
          78b588fa57b027cda856a05638b25454c59d1896670701f9a8177b8e0c39596d
          9375e3482163cbe388a49317dce8eb7bb23761a29a06ae9a9c4f11628f60d1f3
          b941aaf32e4102fad862bf8c4b36d5f0932a4388dd3b7502f68233cb6a9a8ae9


Taiwan Shui Mu Chih Ching Technology Limited
Not time valid
Valid From: 3/6/2015
Valid to: 3/4/2016
Thumbprint: D76AC870EBD12FBBE587D48E1640E76EA499B86E
Serial Number: 11 21 27 47 4D E0 10 DA 49 D3 1D 0E E8 19 3E AC 2D 0E

          4f4fa26bc26fd90c64dd3b347a92817b67b64506c025248330aa69b00b97051f

Woodtale Technology Inc
Not time valid
Valid From: 7/11/2012
Valid to: 7/16/2015
Thumbprint: EF00842D40EAC4FDFC2BF62E00829AD83C6046AE
Serial Number: 04 53 F5 E1 43 79 37

          7c32885c258a6d5be37ebe83643f00165da3ebf963471503909781540204752e

Wuxi Kai Yang Electronic Technology Co. Ltd. (无锡凯扬电子科技有限公司)
Status Valid
Valid From: 11/20/2015
Valid to: 11/20/2016
Thumbprint: D0EF4A086EDE76B39863104F8832706950CBB053
Serial Number: 57 BE 1A 00 D2 E5 9B DB D1 95 24 AA A1 7E D9 3B

          016250b7d62e49ba386404cc6db38cb65323d26cf80bc94e2810d5ab9e59fff2
          2acc78ece9cb1a7865341e69fb72097a2debf2c82f41976554132bf6d3181c25
          ea63f6a26a18fbeae7c9e042a43988f938503126b485238e3d44f75ae30868bc


Yang Liu
Status Valid
Valid From: 6/20/2016
Valid to: 11/26/2016
Thumbprint: B467B21C4CA4EA7E3AE55FF03D4540900AACC97E
Serial Number: 2F 04 6D 17 50 F5 F5 27 BD 6F 57 50 3A 7C AA 07

Zemi Interactive Co.
Not time valid
Valid From: 7/9/2013
Valid to: 8/9/2014
Thumbprint: 6F889C3FE070D493A79B698D1FC7D7E428D18F90
Serial Number: 45 05 E9 AC 8D 28 8D 76 3A 10 88 ED 1E 2C 8A 60

          14da1add073c48c57da5d14ab55c461bca2ece5d06d5a3d563f14eda56d806fa
          16c4e5c26e072d3b50b58d3c2b1e3985405a686867dedc75d75bd44d84ac4434
          24e3ea78835748c9995e0d0c64f4f6bd3a0ca1b495b61a601703eb19b8c27f95
          320b73e5cee7590a529001af9cea5f36520adc5c50ef48c72912e2dae7283ac6
          3f50ced416c9d7feaa0ad6fb16be1f1289590b497024e20c34b139c2b5194e7c
          5f851ffcee7f301bfcffc3c023a78611f6a1264575ffbafa1f3bc420b27f7eac
          66a1514ea0b833d9108f7ad1ec39a568cedcb46839f956ab330fb72791fd827d
          77a15c0e45c1dfa42d135321576c725c40f890d95e9ad44bdabeae9eb5d71a9f
          81986d0559db51317ca03f1d4102f8ddf86451ec18ba9649129c7704373cfed1
          86e091ebce3ee9e9de15bc600bed01ddaa6668794d40d70bbef02386304fd7c4
          b42bb2221490b763a84714140d75c8eb3189caac0f5940626d07b8303eccedec
          b46786252512197a96093ab4cb906a851f75f82da7ad850c220a44002f39c739
          b84d90acd1a43e560c7e3ae12922cceb286a30dd3e1cc02089f1359a7286a671
          cbd62862584f8544aadca0b4f8f3405576378f5542b776bc4e91f384ad146440
          ec49983235a079c72c32212f0e216fb8ebd2354b6936c39cfd736c4a2dd018e4
          4e6b30db935e41231a108cba1c5d4cacde03cf262e9e85d24387950ae5a369c6


Zemi Interactive Co.
Status Valid
Valid From: 8/25/2015
Valid to: 9/24/2016
Thumbprint: 3E508596F683E30FE1A86504B3B35A44A513A141
Serial Number: 76 31 1C 06 EB 80 09 5E B5 20 D0 2B DE 7F AC 1F

          0f290612b26349a551a148304a0bd3b0d0651e9563425d7c362f30bd492d8665

NOTE: This is an ongoing investigation by the SPEAR Team. The full report will be made available on Cylance.com in the near future.

The BlackBerry Cylance Threat Research Team

About The BlackBerry Cylance Threat Research Team

The BlackBerry Cylance Threat Research team examines malware and suspected malware to better identify its abilities, function and attack vectors. Threat Research is on the frontline of information security and often deeply examines malicious software, which puts us in a unique position to discuss never-seen-before threats.