Chinese LuoYu hackers use man-on-the-side attacks to deploy WinDealer backdoor


An “extremely sophisticated” Chinese-speaking Advanced Persistent Threat (APT) actor named LuoYu has been observed using a malicious Windows tool called WinDealer delivered through man-on-the-side attacks.

“This groundbreaking development allows the actor to modify network traffic in transit to insert malicious payloads,” said Russian cybersecurity firm Kaspersky. said in a new report. “Such attacks are particularly dangerous and devastating because they do not require interaction with the target to lead to a successful infection.”

The organizations targeted by LuoYu are known for being active since 2008 and are mainly foreign diplomatic organizations based in China and members of the academic community, as well as financial, defense, logistics and telecommunications companies.

LuoYu’s use of WinDealer was first documented by the Taiwanese cybersecurity firm TeamT5 at the Japan Security Analyst Conference (JSAC) in January 2021. Then attack campaigns have used the malware to attack Japanese entities, with isolated infections reported in Austria, Germany, India, Russia and the US

Other tools that figure prominently in the lesser-known adversary’s malware arsenal include PlugX and its successor ShadowPad, both of which have been used by various Chinese threat actors to enable their strategic objectives. In addition, the actor is known to target Linux, macOS and Android devices.

WinDealer, for its part, has historically been delivered through websites that act as pubs and in the form of trojan applications masquerading as instant messaging and video hosting services such as Tencent QQ and Youku.

However, the infection vector has since been traded for another distribution method that uses the automatic update mechanism of selected legitimate applications to deliver a compromised version of the executable in “rare cases”.

WinDealer, a modular malware platform at its core, comes with all the usual bells and whistles that come with a traditional backdoor, allowing it to suck in sensitive information, take screenshots, and execute arbitrary commands.

But where it also sets itself apart is the use of a complex IP generation algorithm to select a command-and-control (C2) server to randomly connect to from a pool of 48,000 IP addresses.

“The only way to explain this seemingly impossible network behavior is to assume that a man-on-the-side attacker exists who can intercept all network traffic and even modify it if necessary,” the company said.

A man on the side attack, similar to a man-in-the-middle attack, allows a rogue intruder to read random messages and inject them into a communication channel, but not modify or delete messages sent by other parties.

Man-on-the-side intrusions typically rely on strategically timing their messages in such a way that the malicious response is sent with the data provided by the attacker in response to a victim’s request for a web resource before the actual response from the server.

The threat actor’s ability to monitor such a vast array of IP addresses could also explain the hijacking of the update mechanism associated with real apps to deliver the WinDealer payload, Kaspersky points out.

“Man-on-the-side attacks are extremely destructive because the only condition required to attack a device is that it is connected to the Internet,” said security researcher Suguru Ishimaru.

“No matter how the attack was carried out, the only way potential victims can defend themselves is to remain extremely vigilant and have robust security practices in place, such as regular antivirus scans, network outbound analysis, and extensive logging to detect anomalies.”