In man-on-the-side attacks, a Chinese-speaking hacking organization known as LuoYu infects victims with WinDealer information stealer malware by swapping genuine software updates with harmful payloads.
To accomplish this, the threat actors actively monitor their targets’ network traffic for app update requests associated with popular Asian apps like QQ, WeChat, and WangWang, and replace them with WinDealer installs.
Once installed, WinDealer aids attackers in searching for and siphoning massive amounts of data from infected Windows PCs, installing backdoors to sustain persistence, manipulating files, scanning for additional network devices, and running arbitrary instructions.
According to security researchers at Kaspersky, WinDealer would connect to a random ChinaNet (AS4134) IP address from the Xizang and Guizhou provinces out of a pool of 48,000 IP addresses instead of using the standard hard-coded command-and-control (C2) server details.
Because controlling all of these IP ranges is unlikely, LuoYu’s ability to do so has been attributed to the employment of compromised routers “on the way to (or inside) AS4134,” ISP-level law enforcement tools, or “signals intelligence tactics unknown to the public.”
LuoYu has shifted to abusing the automatic update mechanism of their victims’ apps after previously employing compromised local news sites as infection vectors in easier-to-pull-off watering-hole attacks.
“Man-on-the-side assaults are particularly damaging because all that is required to attack a device is that it be connected to the internet. Even if the assault fails the first time, attackers can keep repeating the process until it succeeds “Suguru Ishimaru, a senior security researcher at Kaspersky, detailed the situation.
“Regardless of how the attack was carried out, the only way for potential victims to defend themselves is to remain extremely vigilant and have robust security procedures in place, such as regular antivirus scans, outbound network traffic analysis, and extensive logging to detect anomalies,” says the report.
LuoYu has been assaulting Korean and Japanese organizations in China since at least 2014, and is also renowned for attacking foreign diplomatic organizations, the academic community, and companies in a variety of industries, including defense and telecommunications.
Other nations where Kaspersky’s Global Research and Analysis Team (GReAT) has detected infections include Germany, Austria, the United States, the Czech Republic, Russia, and India.
LuoYu has recently begun pursuing enterprises in East Asia, as well as Chinese subsidiaries.
This lesser-known hacker outfit has previously been seen infecting macOS, Linux, and Android devices with Demsty (ReverseWindow) and SpyDealer malware, in addition to targeting Windows devices with WinDealer.
“LuoYu is a very clever threat actor who can take advantage of features that are only available to the most experienced attackers. We can only hypothesize about how they were able to gain such talents “Ishimaru continued.
