An "extremely sophisticated" Chinese-speaking advanced persistent threat (APT) actor dubbed LuoYu has been observed using a malicious Windows tool called WinDealer that's delivered by means of man-on-the-side attacks.
"This groundbreaking development allows the actor to modify network traffic in-transit to insert malicious payloads," Russian cybersecurity company Kaspersky said in a new report. "Such attacks are especially dangerous and devastating because they do not require any interaction with the target to lead to a successful infection."
Known to be active since 2008, organizations targeted by LuoYu are predominantly foreign diplomatic organizations established in China and members of the academic community as well as financial, defense, logistics, and telecommunications companies.
LuoYu's use of WinDealer was first documented by Taiwanese cybersecurity firm TeamT5 at the Japan Security Analyst Conference (JSAC) in January 2021. Subsequent offensive campaigns used malware to target Japanese entities, with separate infections being reported in Austria, Germany, India, Russia and the United States.
Other tools that are part of the enemy's malware arsenal include PlugX and its successor, ShadowPad, both of which are used by various Chinese threat actors to achieve their strategic goals. In addition, the actor is known to target Linux, macOS and Android devices.
WinDealer was previously delivered through websites that act as irrigation holes, and in the form of trojanized applications disguised as instant messaging and video hosting services such as Tencent QQ and Youku.
But the infection vector has since been sold for another distribution method that uses an auto-recovery mechanism to select legitimate applications that will serve a compromised version of the "rare opportunities" executable.
WinDealer, a modular malware platform at its core, comes with all the usual horns and whistles associated with traditional backdoors, allowing it to hover sensitive information, capture it in screenshots, and execute random commands.
However, it is also different in that it uses a complex IP generation algorithm to select a command and control server (C2) to randomly connect from a group of 48,000 addresses. "The only way to explain this seemingly impossible network behavior is to assume that there is someone attacking a party that can block all network traffic and even change it if necessary," the company said.
A man-on-the-side attack, similar to a man-in-the-middle attack, can allow a rude partner to read random messages and insert them into a communication channel, but messages sent by other parties are not changed or deleted. .
Such interventions often rely on the strategic timing of their messages, so that a malicious response is sent in advance to the victim's request for a web resource with sensitive information provided by the attacker.
The fact that a threat actor can block so many IP addresses may also explain the hijacking of the update mechanism associated with real WinDealer delivery applications, Kaspersky said.
"Attacks on the human side are extremely destructive because the only condition needed to attack the device is that it be connected to the Internet," said security researcher Suguru Ishimaru. "No matter what attack is carried out, the only way potential victims can protect themselves is to stay extra vigilant and have strict security measures in place, such as regular checks. anomalies. "
Are you interested in this article? Click the follow button.