The official website of a Mongolian certification authority (CA) was harboring malware and facilitated downloads of a backdoored client to users.
Researchers from Avast named MonPass as the compromised CA, which was potentially breached up to eight times as eight different web shells and backdoors were present on the CA’s server.
During an analysis conducted between March and April, Avast not only found indicators of compromise due to the web shells and backdoors, but also that a version of the MonPass client, available from February 8, 2021, until March 3, 2021, for download, was malicious.
Avast says that the installer contained Cobalt Strike binaries. Cobalt Strike is a legitimate threat emulation tool for penetration testers that is also abused by threat actors for purposes including malware deployment, data exfiltration, and network activity obfuscation.
The malicious installer, an unsigned PE file, first pulled the legitimate installer version from the MonPass domain and executed the software on a user’s machine to avoid arousing suspicion. However, in the background, an image file was also downloaded and steganography was used to unpack and decrypt hidden code containing a Cobalt Strike beacon for installation on a victim’s machine.
Avast says that additional variants of the malicious package have since been found on VirusTotal.
When it comes to attribution, the researchers say “we’re not able to make attribution of these attacks with an appropriate level of confidence.”
“However, it’s clear that the attackers clearly intended to spread malware to users in Mongolia by compromising a trustworthy source, which in this case is a CA in Mongolia,” Avast added.
MonPass was notified of the researcher’s findings on April 22 through MN CERT/CC. By June 29, MonPass confirmed the issue had been resolved, leading to Avast’s public disclosure.
Anyone that downloaded MonPass client software between February 8 and March 3 should remove the client and its associated backdoor. The latest version available is v.1.21.1.
MonPass told ZDNet that impacted clients were informed of the security issue and the company “remotely scanned their computers to ensure that there was no threat.”
“These attacks do not affect our public key infrastructure system, our system is completely secure, and it is operating normally behind multiple layers of protection,” the company says.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0