CYBERNEWSMEDIA Network:||
CYBERNEWSMEDIA
CYBERNEWSMEDIA

Cybersecurity News, Insights & Analysis

Latest
TrueConf Zero-Day Exploited in Asian Government Attacks
In Other News: ChatGPT Data Leak, Android Rootkit, Water Facility Hit by Ransomware
Critical ShareFile Flaws Lead to Unauthenticated RCE
Mobile Attack Surface Expands as Enterprises Lose Control
React2Shell Exploited in Large-Scale Credential Harvesting Campaign
AD · 970×250

Supply Chain Security

Chinese APT Uses ‘Airstalk’ Malware in Supply Chain Attacks

PowerShell and .NET variants of the malware abuse AirWatch’s MDM API to establish a C&C communication channel. The post Chinese APT Uses ‘Airstalk’ Malware in Supply Chain Attacks appeared first on SecurityWeek.

Software Supply Chain Attack

A suspected Chinese state-sponsored threat actor has been deploying an AirWatch API-abusing malware family in supply chain attacks, Palo Alto Networks reports.

The APT, tracked as CL-STA-1009, has been targeting business process outsourcing (BPO) entities, which typically have access to critical business systems within their clients’ networks.

According to Palo Alto Networks, organizations specializing in BPO have been increasingly targeted by cybercriminals and state-sponsored hackers. These entities can be abused in supply chain attacks, as gateways to multiple target environments.

“BPOs typically leverage the economy of scale to have highly specialized talent service multiple clients concurrently. […] Attackers are willing to invest generously in the resources necessary to not only compromise them but maintain access indefinitely,” the cybersecurity firm notes.

As part of the CL-STA-1009 attacks observed by Palo Alto Networks, two variants of a malware family dubbed Airstalk were seen, one written in PowerShell and the other written in .NET.

Both variants abuse the AirWatch API for mobile device management (MDM) to establish a covert communication channel with the command-and-control (C&C) server, employ a multi-threaded communication protocol, and were signed using likely stolen certificates.

The PowerShell iteration of Airstalk can receive commands from the C&C to take screenshots, list files in the user directory, list Chrome profiles, and harvest data from Chrome, including cookies, bookmarks, and browser history.

The .NET variant of Airstalk uses a slightly different communications protocol and has more capabilities, targeting Microsoft Edge and Island Browser in addition to Chrome. In addition to stealing browser data, it can open URLs in Chrome.

The malware employs various defense techniques, such as the use of a revoked certificate likely issued to a legitimate organization last year. The malware’s developer altered the samples’ timestamps so they would remain undetected within BPO organizations’ networks.

“CL-STA-1009 is a threat activity cluster representing activity from a suspected nation-state actor. This cluster is associated with Airstalk malware, which we assess with medium confidence adversaries used in supply chain attacks,” Palo Alto Networks says.

Related: Chinese APT Exploits Unpatched Windows Flaw in Recent Attacks

Related: Russian APT Switches to New Backdoor After Malware Exposed by Researchers

Related: Lumma Stealer Activity Drops After Doxxing

Related: CISA Adds Exploited XWiki, VMware Flaws to KEV Catalog

Latest News

CYBERNEWSMEDIAPublisher