Threat actors have breached a server belonging to MonPass, a major certification authority (CA) in Mongolia in East Asia, and have backdoored the company’s official website with Cobalt Strike binaries. The security incident came to light in late March when researchers at Avast identified an installer downloaded from the official website of MonPass.
On 22 April 2021, Avast informed MonPass regarding the security breach and advised them to patch the compromised server and notify those who downloaded the backdoored client.
“Our analysis beginning in April 2021 indicates that a public webserver hosted by MonPass was breached potentially eight separate times: we found eight different webshells and backdoors on this server. We also found that the MonPass client available for download from 8 February 2021 until 3 March 2021 was backdoored,” Avast stated.
However, researchers were unable to attribute the intrusion “with an appropriate level of confidence” to any specific threat actor. “But it’s clear that the attackers clearly intended to spread malware to users in Mongolia by compromising a trustworthy source, which in this case is a CA in Mongolia,” researchers added.
The malicious installer is an unsigned PE file. It starts by downloading the legitimate version of the installer from the MonPass official website. This legitimate version is dropped to the C:\Users\Public\ folder and executed under a new process. This guarantees that the installer behaves as expected, meaning that a regular user is unlikely to notice anything suspicious.
Avast team also unearthed additional variants on VirusTotal in addition to those found on the compromised MonPass web server. During their analysis of the compromised client and variants, researchers showed that the malware was using steganography to decrypt Cobalt Strike beacon.
In December 2020, China-based hackers targeted Able Desktop software, a security firm responsible for supplying software to multiple Mongolian government agencies. In the same month, Avast also published details about a Chinese cyber-espionage campaign that targeted government agencies using spear-phishing emails, during which attackers tried to install backdoors and keyloggers on employee workstations.
Just a few weeks after targeting Able Desktop software, Chinese attackers employed a technique similar to the MonPass breach on the website of the Vietnam Government Certification Authority (VGCA): ca.gov.vn. The attackers modified two of the software installers available for download on this website and added a backdoor in order to compromise users of the legitimate application.