Chinese LuoYu Hackers Use Man-on-the-Side Attacks to Deploy WinDealer Backdoor
An ‘extremely sophisticated’ Chinese Advanced Persistent Threat (APT) actor dubbed LuoYu has been observed using a malicious Windows tool called WinDealer which is delivered by means of man-on-the-side attacks.
“This groundbreaking development allows the actor to modify network traffic in transit to insert malicious payloads,” Russian cybersecurity firm Kaspersky said in a new report. “Such attacks are particularly dangerous and devastating because they require no interaction with the target to lead to a successful infection.”
Known to be active since 2008, the organizations targeted by LuoYu are mainly foreign diplomatic organizations established in China and members of the academic community as well as financial, defense, logistics and telecommunications companies.
LuoYu’s use of WinDealer was first documented by Taiwanese cybersecurity firm TeamT5 at the Japan Security Analyst Conference (JSAC) in January 2021. Subsequent attack campaigns have used the malware to target entities Japanese, with isolated infections reported in Austria, Germany, India, Russia, and the United States
Other tools in the adversary’s malware arsenal include PlugX and its successor ShadowPad, both of which have been used by various Chinese threat actors to achieve their strategic goals. Additionally, the actor is known to target Linux, macOS, and Android devices.
WinDealer, for its part, has been delivered in the past via websites that act as watering holes and in the form of trojanized apps masquerading as instant messaging and video hosting services like Tencent QQ and Youku.
But the infection vector has since been swapped for an alternate distribution method that uses the auto-update mechanism of some legitimate applications to serve a compromised version of the executable on “rare occasions.”
WinDealer, a modular malware platform at its core, comes with all the usual bells and whistles associated with a traditional backdoor, allowing it to suck in sensitive information, capture screenshots, and spoof files. ‘execute arbitrary commands.
But where it also stands out is its use of a complex IP generation algorithm to select a command and control (C2) server to connect to at random from a pool of 48,000 addresses. IP.
“The only way to explain these seemingly impossible network behaviors is to assume the existence of a human-side attacker who is able to intercept all network traffic and even modify it if necessary,” said the society.
A man-in-the-side attack, similar to a man-in-the-middle attack, allows a malicious intruder to read and inject arbitrary messages into a communication channel, but not modify or delete sent messages by other parties.
Such intruders typically rely on strategically timing their messages so that the malicious response containing attacker-provided data is sent in response to a victim’s request for a web resource before the actual server response.
The fact that the threat actor is able to control such a wide range of IP addresses could also explain the hijacking of the update mechanism associated with genuine apps to deliver the WinDealer payload, Kaspersky pointed out.
“Man-in-the-side attacks are extremely destructive because the only requirement to attack a device is that it is connected to the internet,” said security researcher Suguru Ishimaru.
“Regardless of how the attack was carried out, the only way for potential victims to defend themselves is to remain extremely vigilant and have robust security procedures in place, such as regular virus scans, network traffic analysis outbound and extensive logging to detect anomalies. “