A suspected nation-state menace actor has been linked to the distribution of a brand new malware known as Airstalk as a part of a possible provide chain assault.
Palo Alto Networks Unit 42 mentioned it is monitoring the cluster beneath the moniker CL-STA-1009, the place “CL” stands for cluster and “STA” refers to state-backed motivation.
“Airstalk misuses the AirWatch API for cellular gadget administration (MDM), which is now known as Workspace ONE Unified Endpoint Administration,” safety researchers Kristopher Russo and Chema Garcia mentioned in an evaluation. “It makes use of the API to ascertain a covert command-and-control (C2) channel, primarily by way of the AirWatch characteristic to handle customized gadget attributes and file uploads.”
The malware, which seems in PowerShell and .NET variants, makes use of a multi-threaded command-and-control (C2) communication protocol and is able to capturing screenshots and harvesting cookies, browser historical past, bookmarks, and screenshots from internet browsers. It is believed that the menace actors are leveraging a stolen certificates to signal a few of the artifacts.
Unit 42 mentioned the .NET variant of Airstalk is supplied with extra capabilities than its PowerShell counterpart, suggesting it might be a complicated model of the malware.
The PowerShell variant, for its half, makes use of the “/api/mdm/units/” endpoint for C2 communications. Whereas the endpoint is designed to fetch content material particulars of a specific gadget, the malware makes use of the customized attributes characteristic within the API to make use of it as a useless drop resolver for storing info needed for interacting with the attacker.
As soon as launched, the backdoor initializes contact by sending a “CONNECT” message and awaits a “CONNECTED” message from the server. It then receives numerous duties to be executed on the compromised host within the type of a message of sort “ACTIONS.” The output of the execution is shipped again to the menace actor utilizing a “RESULT” message.
The backdoor helps seven totally different ACTIONS, together with taking a screenshot, getting cookies from Google Chrome, itemizing all consumer Chrome profiles, acquiring browser bookmarks of a given profile, gathering the browser historical past of a given Chrome profile, enumerating all information throughout the consumer’s listing, and uninstalling itself from the host.
“Some duties require sending again a considerable amount of knowledge or information after Airstalk is executed,” Unit 42 mentioned. “To take action, the malware makes use of the blobs characteristic of the AirWatch MDM API to add the content material as a brand new blob.”
The .NET variant of Airstalk expands on the capabilities by additionally focusing on Microsoft Edge and Island, an enterprise-focused browser, whereas trying to imitate an AirWatch Helper utility (“AirwatchHelper.exe”). Moreover, it helps three extra message varieties –
- MISMATCH, for flagging model mismatch errors
- DEBUG, for sending debug messages
- PING, for beaconing
As well as, it makes use of three totally different execution threads, every of which serves a novel objective: to handle C2 duties, exfiltrate the debug log, and beacon to the C2 server. The malware additionally helps a broader set of instructions, though one in every of them seems to not have been applied but –
- Screenshot, to take a screenshot
- UpdateChrome, to exfiltrate a selected Chrome profile
- FileMap, to checklist the contents of the precise listing
- RunUtility (not applied)
- EnterpriseChromeProfiles, to fetch obtainable Chrome profiles
- UploadFile, to exfiltrate particular Chrome artifacts and credentials
- OpenURL, to open a brand new URL in Chrome
- Uninstall, to complete the execution
- EnterpriseChromeBookmarks, to fetch Chrome bookmarks from a selected consumer profile
- EnterpriseIslandProfiles, to fetch obtainable Island browser profiles
- UpdateIsland, to exfiltrate a selected Island browser profile
- ExfilAlreadyOpenChrome, to dump all cookies from the present Chrome profile
Curiously, whereas the PowerShell variant makes use of a scheduled activity for persistence, its .NET model lacks such a mechanism. Unit 42 mentioned a few of the .NET variant samples are signed with a “possible stolen” certificates signed by a sound certificates authority (Aoteng Industrial Automation (Langfang) Co., Ltd.), with early iterations that includes a compilation timestamp of June 28, 2024.
It is presently not recognized how the malware is distributed, or who could have been focused in these assaults. However using MDM-related APIs for C2 and the focusing on of enterprise browsers like Island counsel the opportunity of a provide chain assault focusing on the enterprise course of outsourcing (BPO) sector.
“Organizations specializing in BPO have turn out to be profitable targets for each felony and nation-state attackers,” it mentioned. “Attackers are keen to take a position generously within the assets essential to not solely compromise them however preserve entry indefinitely.”
“The evasion methods employed by this malware permit it to stay undetected in most environments. That is notably true if the malware is operating inside a third-party vendor’s setting. That is notably disastrous for organizations that use BPO as a result of stolen browser session cookies may permit entry to numerous their shoppers.”
