Virtualization Technology News and Information
Article
RSS
Kaspersky: WinDealer malware shows extremely sophisticated network abilities

Kaspersky researchers have discovered that the malware known as WinDealer has the ability to perform intrusions through a man-on-the-side attack. This groundbreaking development allows the actor to modify network traffic in-transit to insert malicious payloads. Such attacks are especially dangerous because they do not require any interaction with the target to lead to a successful infection.

Following findings by TeamT5, Kaspersky researchers discovered a new distribution method applied by operators to spread the WinDealer malware. Specifically, they used a man-on-the-side attack to read traffic and insert new messages. The general concept of a man-on-the-side attack is that when the attacker sees a request for a specific resource on a network (through its interception capabilities or strategic position on an ISP's network), it tries to reply to the victim faster than the legitimate server. If the attacker wins that race, the target machine will then use the attacker-supplied data instead of the normal data. Even if the attackers don't win most of those races, they can try again until they succeed, guaranteeing that they will eventually infect most devices.

Following an attack, the target device receives a spyware application that can collect an impressive amount of information. The attackers are able to view and download any files stored on the device and run a keyword search on all documents. Generally, LuoYu targets foreign diplomatic organizations established in China and members of the academic community as well as defense, logistics and telecommunications companies. The actor uses WinDealer to attack Windows devices.

Typically, malware contains a hardcoded Command and Control server from which the malicious operator controls the entire system. With information about this server, it's possible to block the IP address of the machines that the malware interacts with, neutralizing the threat. However, WinDealer relies on a complex IP-generation algorithm to determine which machine to contact. This includes a range of 48,000 IP addresses, making it almost impossible for the operator to control even a small amount of the addresses. The only way to explain this seemingly impossible network behavior is by postulating that the attackers have significant interception capabilities over this IP range and can even read network packets that reach no destination.

The man-on-the-side attack is particularly devastating because it does not require any interaction with the target to lead to a successful infection: simply having a machine connected to the internet is enough. Moreover, there is nothing users can do to protect themselves, apart from routing traffic through another network. This can be done with a VPN, but these may not be an option, depending on the territory, and would typically not be available to Chinese citizens.

The vast majority of LuoYu victims are located in China, so Kaspersky experts believe that the LuoYu APT is predominantly focused on Chinese-speaking victims and organizations related to China. However, Kaspersky researchers have also noticed attacks in other countries, including Germany, Austria, the United States, Czech Republic, Russia and India.

"LuoYu is an extremely sophisticated threat actor able to leverage functionality available only to the most mature attackers," said Suguru Ishimaru, senior security researcher at Kaspersky's Global Research and Analysis Team (GReAT). "We can only speculate as to how they were able to develop such capabilities. Man-on-the-side-attacks are extremely destructive, as the only condition needed to attack a device is for it to be connected to the internet. Even if the attack fails the first time, attackers can repeat the process over and over again until they succeed. This is how they can carry out extremely dangerous and successful spying attacks on their victims, which typically include diplomats, scientists and employees of other key sectors. No matter how the attack has been carried out, the only way for potential victims to defend themselves is to remain extremely vigilant and have robust security procedures, such as regular antivirus scans, analysis of outbound network traffic and extensive logging to detect anomalies."

Read the full report about WinDealer on Securelist.

Published Thursday, June 02, 2022 8:58 AM by David Marshall
Filed under:
Comments
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
Calendar
<June 2022>
SuMoTuWeThFrSa
2930311234
567891011
12131415161718
19202122232425
262728293012
3456789