Select Page

Website of Mongolian certificate authority served backdoored client installer

|

Website of Mongolian certificate authority served backdoored client installer

The official website of a Mongolian certification authority (CA) was harboring malware and facilitated downloads of a backdoored client to users. 

Researchers from Avast named MonPass as the compromised CA, which was potentially breached up to eight times as eight different web shells and backdoors were present on the CA’s server. 

During an analysis conducted between March and April, Avast not only found indicators of compromise due to the web shells and backdoors, but also that a version of the MonPass client, available from February 8, 2021, until March 3, 2021, for download, was malicious. 

Avast says that the installer contained Cobalt Strike binaries. Cobalt Strike is a legitimate threat emulation tool for penetration testers that is also abused by threat actors for purposes including malware deployment, data exfiltration, and network activity obfuscation. 

The malicious installer, an unsigned PE file, first pulled the legitimate installer version from the MonPass domain and executed the software on a user’s machine to avoid arousing suspicion. However, in the background, an image file was also downloaded and steganography was used to unpack and decrypt hidden code containing a Cobalt Strike beacon for installation on a victim’s machine. 

Avast says that additional variants of the malicious package have since been found on VirusTotal. 

When it comes to attribution, the researchers say “we’re not able to make attribution of these attacks with an appropriate level of confidence.”

“However, it’s clear that the attackers clearly intended to spread malware to users in Mongolia by compromising a trustworthy source, which in this case is a CA in Mongolia,” Avast added. 

MonPass was notified of the researcher’s findings on April 22 through MN CERT/CC. By June 29, MonPass confirmed the issue had been resolved, leading to Avast’s public disclosure. 

Anyone that downloaded MonPass client software between February 8 and March 3 should remove the client and its associated backdoor. The latest version available is v.1.21.1. 

MonPass told ZDNet that impacted clients were informed of the security issue and the company “remotely scanned their computers to ensure that there was no threat.” 

“These attacks do not affect our public key infrastructure system, our system is completely secure, and it is operating normally behind multiple layers of protection,” the company says.

Previous and related coverage

  • Backdoor malware is being spread through fake security certificate alerts

  • Apple strong-arms entire CA industry into one-year certificate lifespans

  • Google bans another misbehaving CA from Chrome

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Source: https://www.zdnet.com/article/website-of-mongolian-certificate-authority-backdoored-served-malware/#ftag=RSSbaffb68

Rate:

Related Posts

This evasive new cyberattack can bypass air-gapped systems to steal data from the most sensitive networks

This evasive new cyberattack can bypass air-gapped systems to steal data from the most sensitive networks

December 12, 2022

Best security key (2022)

Best security key (2022)

April 20, 2022

Google’s new Nest lineup includes a Doorbell and Cams

Google’s new Nest lineup includes a Doorbell and Cams

August 5, 2021

Phishing emails targeting LinkedIn accounts are on the rise. Here’s what to watch out for

Phishing emails targeting LinkedIn accounts are on the rise. Here’s what to watch out for

April 21, 2022