Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Windealer. Show all posts

LuoYu APT Delivers WinDealer Malware Via Man-on-the-side Attacks

 

An "extremely sophisticated" Chinese-speaking advanced persistent threat (APT) actor known as LuoYu has been spotted utilising a malicious Windows application known as WinDealer supplied via man-on-the-side assaults.

In a new report, Russian cybersecurity company Kaspersky said, "This groundbreaking development allows the actor to modify network traffic in-transit to insert malicious payloads. Such attacks are especially dangerous and devastating because they do not require any interaction with the target to lead to successful infection." 

Organizations targeted by LuoYu, which has been active since 2008, include primarily foreign diplomatic organisations based in China, members of the academic community, as well as financial, defence, logistics, and telecommunications firms. Taiwanese cybersecurity firm TeamT5 initially discovered LuoYu's usage of WinDealer at the Japan Security Analyst Conference (JSAC) in January 2021. 

Later assault campaigns targeted Japanese businesses, with isolated infections recorded in Austria, Germany, India, Russia, and the United States. PlugX and its sequel ShadowPad, both of which have been utilised by a number of Chinese threat actors to support their strategic objectives, are also part of the adversary's malware arsenal. The actor is also known to target Linux, macOS, and Android devices. 

WinDealer, for its part, has already been distributed via watering holes and trojanized apps masquerading as instant chatting and video hosting services such as Tencent QQ and Youku. However, the infection vector has now been exchanged by another form of dissemination that uses the automated update mechanism of chosen genuine apps to deliver a compromised version of the executable on "rare occasions."

At its core, WinDealer is a modular malware platform with all the bells and whistles of a standard backdoor, allowing it to collect sensitive data, snap screenshots, and run arbitrary commands.

It further distinguishes itself by employing a complicated IP creation method to choose a command-and-control (C2) server at random from a pool of 48,000 IP addresses. 

"The only way to explain these seemingly impossible network behaviours is by assuming the existence of a man-on-the-side attacker who is able to intercept all network traffic and even modify it if needed," the company said. 

A man-on-the-side attack, like a man-in-the-middle attack, allows a malicious intruder to read and inject arbitrary messages into a communications channel while not being able to edit or delete messages delivered by other parties. Such attacks often rely on carefully timing their messages so that the malicious response containing the attacker-supplied material is delivered in response to a victim's request for web resources before the actual response from the server. 

"Man-on-the-side-attacks are extremely destructive as the only condition needed to attack a device is for it to be connected to the internet," security researcher Suguru Ishimaru said. 

"No matter how the attack has been carried out, the only way for potential victims to defend themselves is to remain extremely vigilant and have robust security procedures, such as regular antivirus scans, analysis of outbound network traffic, and extensive logging to detect anomalies."