Chinese LuoYu hackers spread WinDealer malware in app updates

The threat actor can modify network traffic in-transit to insert malicious payloads according to Kaspersky researchers with such attacks especially dangerous because "they do not require any interaction with the target to lead to a successful infection".

According to Suguru Ishimaru, senior security researcher at Kaspersky’s Global Research and Analysis Team (GReAT), LuoYu is an extremely sophisticated threat actor able to leverage functionality available only to the most mature attackers.

"We can only speculate as to how they were able to develop such capabilities.

"Man-on-the-side-attacks are extremely destructive, as the only condition needed to attack a device is for it to be connected to the internet.

"Even if the attack fails the first time, attackers can repeat the process over and over again until they succeed," Ishimaru said.

Following findings by TeamT5, Kaspersky researchers discovered a new distribution method applied by operators to spread the WinDealer malware with a man-on-the-side attack to read traffic and insert new messages. The concept of a man-on-the-side attack is that when the attacker sees a request for a specific resource on a network (through its interception capabilities or strategic position on an ISP’s network), it tries to reply to the victim faster than the legitimate server.

"If the attacker wins that race, the target machine will then use the attacker-supplied data instead of the normal data.

"Even if the attackers don’t win most of those races, they can try again until they succeed, guaranteeing that they will eventually infect most devices.

VIEW ALL

"Following an attack, the target device receives a spyware application that can collect an impressive amount of information," Kaspersky researchers stated on the report.

The attackers are able to view and download any files stored on the device and run a keyword search on all documents and added that the malware typically contains a hardcoded command and control server from which the malicious operator controls the entire system.

"Generally, LuoYu targets foreign diplomatic organisations established in China and members of the academic community as well as defence, logistics and telecommunications companies.

"The actor uses WinDealer to attack Windows devices."

WinDealer relies on a complex IP-generation algorithm to determine which machine to contact. Even with information about this server, it’s possible to block the IP address of the machines that the malware interacts with, neutralising the threat.

This includes a range of 48,000 IP addresses, making it almost impossible for the operator to control even a small amount of the addresses. The only way to explain this seemingly impossible network behaviour is by postulating that the attackers have significant interception capabilities over this IP range and can even read network packets that reach no destination.

Ishimaru further explained that "this is how they can carry out extremely dangerous and successful spying attacks on their victims", which typically include diplomats, scientists and employees of other key sectors.

"No matter how the attack has been carried out, the only way for potential victims to defend themselves is to remain extremely vigilant and have robust security procedures, such as regular antivirus scans, analysis of outbound network traffic and extensive logging to detect anomalies," Ishimaru added.

The man-on-the-side attack is particularly devastating because it does not require any interaction with the target to lead to a successful infection; simply having a machine connected to the internet is enough.

The vast majority of LuoYu victims are located in China, so Kaspersky experts believe that the LuoYu APT is predominantly focused on Chinese victims and organisations related to China. Kaspersky researchers have also noted attacks in other countries, including Germany, Austria, the United States, Czech Republic, Russia and India.

Unfortunately, there is nothing users can do to protect themselves, apart from routing traffic through another network that can be done via a VPN, but Kaspersky researchers say these may not be an option, depending on the territory, and Chinese citizens may not have access to that option.

"This is how they can carry out extremely dangerous and successful spying attacks on their victims, which typically include diplomats, scientists and employees of other key sectors.

"No matter how the attack has been carried out, the only way for potential victims to defend themselves is to remain extremely vigilant and have robust security procedures, such as regular antivirus scans, analysis of outbound network traffic and extensive logging to detect anomalies," the Kaspersky researchers said.

[Related: Report finds zero trust segmentation stops 5 cyber disasters per year]