A suspected nation-state threat actor has been linked to the distribution of a new malware called Airstalk as part of a likely supply chain attack.
Palo Alto Networks Unit 42 said it’s tracking the cluster under the moniker CL-STA-1009, where “CL” stands for cluster and “STA” refers to state-backed motivation.
“Airstalk misuses the AirWatch API for mobile device management (MDM), which is now called Workspace ONE Unified Endpoint Management,” security researchers Kristopher Russo and Chema Garcia said in an analysis. “It uses the API to establish a covert command-and-control (C2) channel, primarily through the AirWatch feature to manage custom device attributes and file uploads.”
The malware, which appears in PowerShell and .NET variants, makes use of a multi-threaded command-and-control (C2) communication protocol and is capable of capturing screenshots and harvesting cookies, browser history, bookmarks, and screenshots from web browsers. It’s believed that the threat actors are leveraging a stolen certificate to sign some of the artifacts.
Unit 42 said the .NET variant of Airstalk is equipped with more capabilities than its PowerShell counterpart, suggesting it could be an advanced version of the malware.
The PowerShell variant, for its part, utilizes the “/api/mdm/devices/” endpoint for C2 communications. While the endpoint is designed to fetch content details of a particular device, the malware uses the custom attributes feature in the API to use it as a dead drop resolver for storing information necessary for interacting with the attacker.
Once launched, the backdoor initializes contact by sending a “CONNECT” message and awaits a “CONNECTED” message from the server. It then receives various tasks to be executed on the compromised host in the form of a message of type “ACTIONS.” The output of the execution is sent back to the threat actor using a “RESULT” message.
The backdoor supports seven different ACTIONS, including taking a screenshot, getting cookies from Google Chrome, listing all user Chrome profiles, obtaining browser bookmarks of a given profile, collecting the browser history of a given Chrome profile, enumerating all files within the user’s directory, and uninstalling itself from the host.
“Some tasks require sending back a large amount of data or files after Airstalk is executed,” Unit 42 said. “To do so, the malware uses the blobs feature of the AirWatch MDM API to upload the content as a new blob.”
The .NET variant of Airstalk expands on the capabilities by also targeting Microsoft Edge and Island, an enterprise-focused browser, while attempting to mimic an AirWatch Helper utility (“AirwatchHelper.exe”). Furthermore, it supports three more message types –
- MISMATCH, for flagging version mismatch errors
- DEBUG, for sending debug messages
- PING, for beaconing
In addition, it uses three different execution threads, each of which serves a unique purpose: to manage…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
