LuoYu APT delivers WinDealer malware via man-on-the-side attacks

Chinese LuoYu Hackers Using Man-on-the-Side Attacks to Deploy WinDealer Backdoor

An “extremely sophisticated” China-linked APT tracked as LuoYu was delivering malware called WinDealer via man-on-the-side attacks.

Researchers from Kaspersky have uncovered an “extremely sophisticated” China-linked APT group, tracked as LuoYu, that has been observed using a malicious Windows tool called WinDealer.

LuoYu has been active since at least 2008, it focuses on targets located in China, such as foreign diplomatic organizations established in the country, members of the academic community, or companies from the defense, logistics and telecommunications sectors.

The activity of the group was first documented by TeamT5 researchers that also reported the use of three malware families: SpyDealer, Demsty and WinDealer. The threat actors developed capabilities to target almost any OS, including Windows, Linux, macOS, and Android devices.

In the past, the LuoYu group used watering-hole attacks to deliver their malware, since 2020 the WinDealer malware was delivered through an automatic update mechanism of select legitimate applications.

WinDealer has a modular structure, it allows its operators to steal sensitive information, capture screenshots, execute arbitrary commands, download and upload arbitrary files, system-wide search across text files and Microsoft Word documents, network discovery via ping scan.

The latest WinDealer sample analyzed by Kaspersky in 2020 doesn’t contain a hardcoded C2 server, but instead relies on a complex IP generation algorithm to determine the server to contact

“Putting all the pieces together, WinDealer’s infrastructure is nothing short of extraordinary:

• It appears to be distributed via plain HTTP requests that normally return legitimate executables.
• It communicates with IP addresses selected randomly inside a specific AS.
• It can interact with non-existent domain names.

It is very hard to believe that an attacker would be able to control the 48,000 IP addresses of the aforementioned IP ranges, or even a significant portion of them.” reads the analysis published by Kaspersky. “The only way to explain these seemingly impossible network behaviors is by assuming the existence of a man-on-the-side attacker who is able to intercept all network traffic and even modify it if needed.”

A man-on-the-side attack is a form of active attack in computer security similar to a man-in-the-middle attack. Instead of completely controlling a network node as in a man-in-the-middle attack, the attacker only has regular access to the communication channel, which allows him to read the traffic and insert new messages, but not to modify or delete messages sent by other participants. The attacker relies on a timing advantage to make sure that the response he sends to the request of a victim arrives before the legitimate response.

Man-on-the-side attacks are very dangerous and effective, they do not require any interaction with the target to infect it: every machine exposed on the Internet could be compromised.

“They can only be detected through careful network monitoring, which is outside of the realm of everyday users, or if an endpoint security program catches the payload when it is deployed on the attacked computer.” concludes Kaspersky.

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit: 

https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, LuoYu)

[adrotate banner=”5″]

[adrotate banner=”13″]