WinDealer via man-on-the-side | Kaspersky official blog
Credit to Author: Hugh Aver| Date: Mon, 06 Jun 2022 20:58:17 +0000
Kaspersky experts have studied the WinDealer malware by the LuoYu APT group. The most interesting finding is that the attackers have apparently mastered the man-on-the-side attack method and are successfully using it both to deliver malware and to control already infected computers.
What is a man-on-the-side attack and how WinDealer’s operators use it?
A man-on-the-side attack implies that the attacker somehow controls the communication channel, which allows him to read the traffic and inject arbitrary messages into normal data exchange.
Here is an example: attackers may intercept an update request from a completely legitimate software and swap update file with a weaponized one. Apparently, this is how WinDealer is distributed.
A similar trick is used by attackers to issue commands to the malware on an infected computer. To make it harder for security researchers to find the C&C server, the malware does not contain its exact address. Instead, it tries to access a random IP address from a certain range. Attackers then intercept the request and respond to it. In some cases, WinDealer tries to access an address that cannot exist at all, but thanks to the man-on-the-side method, it still receives a response.
According to our experts, in order to successfully use this trick, attackers need constant access to the routers of the entire subnet, or to some advanced tools at the Internet providers level.
Who are the WinDealer’s targets
The vast majority of WinDealer’s targets are located in China: they are foreign diplomatic organizations, members of the academic community, or companies involved in the defense, logistics or telecommunications business. However, sometimes LuoYu APT group also infect targets in other countries: Germany, Austria, the United States, the Czech Republic, Russia and India. In recent months, they have also become more interested in other East Asian countries and their Chinese branches.
What WinDealer is capable of
A detailed technical analysis of both the malware itself and its delivery mechanism can be found in a post on the Securelist blog. In short, WinDealer has the functionality of modern spyware. It can:
- Manipulate files and file system (open, write and delete files, collect data about directories and disk);
- Collect information about hardware, network configuration, processes, keyboard layout, installed applications;
- Download and upload arbitrary files;
- Execute arbitrary commands;
- Search through text files and MS Office documents;
- Take screenshots;
- Scan the local network;
- Support the backdoor function;
- Collect data about available Wi-Fi networks (at least in one of the variants of malware found by our experts is capable of doing so).
How to stay safe
Unfortunately, man-on-the-side attacks are extremely difficult to protect against at the network level. In theory, a constant VPN connection can help, but it is not always available. Therefore, in order to exclude spyware infection, it is necessary to provide every device that has internet access with a reliable security solution. In addition, the EDR-class solutions can help detect anomalies and stop the attack at an early stage.