The unidentified hackers attacked the website of MonPass, one of Mongolia's leading certificate authorities, to backdoor its installation software with Cobalt Strike binaries in yet another software supply chain attack.
According to a study published on Thursday by Czech cybersecurity software provider Avast, the trojanized client was accessible for download between February 8, 2021, and March 3, 2021.
In addition, the researchers discovered eight distinct web shells and backdoors on a public webserver hosted by MonPass, which shows that it was compromised as many as eight times.
After discovering the backdoored installation and implant on one of its clients' PCs, Avast launched an inquiry into the matter.
"The malicious installer is an unsigned [Portable Executable] file," the researchers stated. "It starts by downloading the legitimate version of the installer from the MonPass official website. This legitimate version is dropped to the 'C:\Users\Public\' folder and executed under a new process. This guarantees that the installer behaves as expected, meaning that a regular user is unlikely to notice anything suspicious."
The installer downloads a bitmap image (.BMP) file from a remote server to extract and execute an encrypted Cobalt Strike beacon payload, which is notable for its use of steganography to send shellcode to the victim's device.
On April 22, MonPass was informed of the situation, and the certificate authority took measures to resolve the compromised server and notify those who had downloaded the backdoored client.
The incident is the second time that certificate authority software has been used to attack targets with malicious backdoors. ESET revealed a campaign called "Operation SignSight" in December 2020, in which a digital signature toolset from the Vietnam Government Certification Authority (VGCA) was modified to incorporate spyware competent in collecting system data and installing additional malware.
The development also comes as Proofpoint's announced earlier this week that the use of the Cobalt Strike penetration testing tool in threat actor campaigns has increased by 161% year over year from 2019 to 2020.
According to Proofpoint analysts, “"Cobalt Strike is becoming increasingly popular among threat actors as an initial access payload, not just a second-stage tool threat actors use once access is achieved, with criminal threat actors making up the bulk of attributed Cobalt Strike campaigns in 2020."
