Researchers have found that the malware dubbed WinDealer, spread by Chinese-language Advanced Persistent Threat (APT) actor LuoYu, has the ability to perform intrusions through a “man-on-the-man” attack. -side”.
This revolutionary development, according to Kaspersky researchers, allows the actor to modify network traffic in transit to insert malicious payloads.
Such attacks are particularly dangerous and devastating because they require no interaction with the target to lead to a successful infection.
Following the findings of TeamT5, Kaspersky researchers discovered a new distribution method applied by operators to spread the WinDealer malware.
Specifically, they used a man-on-the-side attack to read traffic and insert new messages.
The general concept of a man-on-the-side attack is that when the attacker sees a request for a specific resource on the network (via their interception capabilities or their strategic position on the ISP’s network), they try to respond more quickly to the victim. than the legitimate server. If the attacker wins the “race”, then the target machine will use the data provided by the attacker instead of the normal data. Even if attackers don’t win most “races”, they can try again until they succeed, guaranteeing that they will eventually infect most devices.
Following an attack, the target device receives a spyware application that can collect an impressive amount of information. Attackers can view and download all files stored on the device and run a keyword search on all documents. Generally, LuoYu targets foreign diplomatic organizations established in China and members of the academic community as well as defense, logistics and telecommunications companies. The actor uses WinDealer to attack Windows devices.
Typically, malware contains a hard-coded command and control server from which the malicious operator controls the entire system. With information on this server, it is possible to block the IP address of the machines with which the malware interacts, thus neutralizing the threat. However, WinDealer relies on a complex IP generation algorithm to determine which machine to contact. This includes a range of 48,000 IP addresses, making it almost impossible for the operator to control even a small amount of addresses. The only way to explain this seemingly impossible network behavior is to postulate that attackers have significant interception capabilities over this IP range and can even read network packets that do not reach any destination.
The man-on-the-side attack is particularly devastating because it requires no interaction with the target to achieve a successful infection: all you need is a machine connected to the Internet. Additionally, there is nothing users can do to protect themselves other than route traffic through another network. This can be done with a VPN, but these may not be an option, depending on the territory, and would generally not be available to Chinese citizens.
The vast majority of LuoYu’s victims are in China, so Kaspersky experts believe APT LuoYu’s main focus is on victims and Chinese-speaking organizations tied to China. However, Kaspersky researchers also noticed attacks in other countries, such as Germany, Austria, the United States, the Czech Republic, Russia and India.
“LuoYu is an extremely sophisticated threat actor capable of taking advantage of features available only to the most mature attackers. We can only speculate how they were able to develop such abilities. Man-on-the-side attacks are extremely destructive because the only requirement to attack a device is that it is connected to the internet. Even if the attack fails the first time, attackers can repeat the process over and over again until they are successful. This is how they can carry out extremely dangerous and successful espionage attacks against their victims, which usually include diplomats, scientists and employees of other key sectors. Regardless of how the attack was carried out, the only way for potential victims to defend themselves is to remain extremely vigilant and have robust security procedures in place, such as regular virus scans, scanning of outgoing network traffic and extensive logging to detect anomalies,” comments Suguru Ishimaru, Senior Security Researcher with Kaspersky’s Global Research and Analysis Team (GReAT).