Kaspersky researchers have discovered that Chinese-speaking APT actor LuoYu distributes WinDealer malware via man-on-the-side attacks [1]. This propagation mechanic allows the threat actor to modify network traffic in transit to inject malicious payloads. Such attacks are particularly effective because they do not require human or other interaction with the target for successful infection.
Following the findings of TeamT5 [2], Kaspersky researchers discovered a new method used by the actors to proliferate the WinDealer malware. They use a man-on-the-side attack to read the traffic and insert new messages. The concept of a man-on-the-side attack is that when the attacker sees a request for a specific resource on the network (whether through their eavesdropping skills or their own strategic position in the ISP's network), they attempt to Aim to respond faster than the legitimate server. If this is the case, the target computer uses the information provided by the attacker instead of the regular data. Even if they lose most of these "races," the attackers can always keep trying until they infect the device.
Spyware collects a lot of information
After a successful attack, spyware lands on the target device, which can collect a variety of information. This allows attackers to view and download all files stored on the device and perform a keyword search on all documents. In general, LuoYu targets foreign diplomatic organizations based in China, academic institutions, and defense, logistics and telecommunications companies. The actor uses WinDealer to attack Windows-based machines.
Typically, malware contains one or more hard-coded command-and-control servers from which attackers control the system. With the appropriate information about these servers, it is possible to block the IP addresses of these servers that the malware interacts with, thus neutralizing the threat. However, WinDealer relies on a complex IP address generation algorithm to determine which machine to contact.
Windealer generates contact IP addresses
This covers a range of 48.000 possible IP addresses, making it almost impossible for the operator to control even a small part of it. The only way to explain this seemingly impossible network behavior is to assume that the attackers have significant eavesdropping capabilities in this IP range and can even read network packets that don't reach a destination.
Such a man-on-the-side attack is particularly devastating because it requires no interaction with the target to result in successful infection. An active connection to the Internet is sufficient. In addition, users cannot proactively take any protective measures - apart from routing the data traffic over another network. Although this would be possible using a VPN, it may not be used in certain countries and is generally not available, especially for Chinese citizens.
Germany also affected
The vast majority of LuoYu victims are located in China, so Kaspersky experts believe the LuoYu APT will primarily target Chinese-speaking users and China-related organizations. However, they have also noticed attacks in other countries, including Germany, Austria, the United States, the Czech Republic, Russia or India.
"LuoYu is a highly sophisticated threat actor that uses methods only available to the most advanced attackers," comments Suguru Ishimaru, Senior Security Researcher at Kaspersky's Global Research and Analysis Team (GReAT). “We can only speculate how they were able to develop such abilities. Man-on-the-side attacks are extremely effective because the only requirement for an attack on a device is that it is connected to the internet. Even if the attack fails the first time, the attackers can continually repeat the process until they succeed. This allows cybercriminals to carry out extremely dangerous and successful espionage attacks, which usually target diplomats, scientists and employees of other key sectors. Regardless of how the attack was carried out, the only way to protect yourself is to remain very vigilant and employ robust security practices. This includes regular antivirus scans, outbound network traffic analysis and extensive logging to detect anomalies.”
Kaspersky recommendations for protection
- Employing robust security practices that include regular antivirus scans, outbound network traffic analysis, and comprehensive lag file collection to detect anomalies.
- Conducting a cybersecurity audit of all networks and remediating any vulnerabilities discovered on or within the network perimeter.
- Installation of anti-APT and EDR solutions that enable threat detection, investigation and timely remediation of incidents. The SOC team should always have access to the latest threat data and receive regular professional training. All this is possible within Kaspersky Expert Security [3].
- In addition to comprehensive endpoint protection, dedicated services provide further protection against attacks. Kaspersky Managed Detection and Response [4] can help identify and stop compromises early on, before attackers reach their targets.
- Kaspersky's Threat Intelligence Resource Hub [5] offers free access to independent, constantly updated and globally available information on current cyber attacks and threats to ensure a high level of security.
[2] https://teamt5.org
[3] https://www.kaspersky.de/enterprise-security/endpoint-detection-response-edr
[4] https://www.kaspersky.de/enterprise-security/managed-detection-and-response
[5] https://go.kaspersky.com/uchub More at Kaspersky.com
About Kaspersky Kaspersky is an international cybersecurity company founded in 1997. Kaspersky's in-depth threat intelligence and security expertise serve as the basis for innovative security solutions and services to protect companies, critical infrastructures, governments and private users worldwide. The company's comprehensive security portfolio includes leading endpoint protection as well as a range of specialized security solutions and services to defend against complex and evolving cyber threats. Kaspersky technologies protect over 400 million users and 250.000 corporate customers. More information about Kaspersky can be found at www.kaspersky.com/