Mongolian Certification Authority MonPass BreachedAvast: This Supply Chain Attack Used Cobalt Strike
Researchers at Avast discovered a compromised server belonging to MonPass, a certification authority in Mongolia, that may have been breached eight times.
Avast, a Czech cybersecurity software company, says the researchers uncovered eight web shells and backdoors in a public web server hosted by MonPass.
This supply chain attack was backdoored with Cobalt Strike binaries in MonPass' official client, Avast says. The backdoor was active and available to download on the official app site from Feb. 8 to March 3, Avast says.
"We immediately notified MonPass on April 22, 2021, of our findings and encouraged them to address their compromised server and notify those who downloaded the backdoored client," Avast says. The exact details of how the MonPass server was breached are unknown, the researchers say.
Avast did not attribute the breach to an attack group. "It’s clear that the attackers intended to spread malware to users in Mongolia by compromising a trustworthy source, which in this case is a CA in Mongolia," the company says.
Researchers say anyone who downloaded the MonPass client between Feb. 8 and March 3 should take steps to look for and remove the client and the backdoor it installed.
A spokesperson for MonPass was not immediately available to comment.
The malicious installer used by the attacker is an unsigned Portable Executable file, which starts after downloading the legitimate version of the installer from the MonPass official website, Avast says.
"This legitimate version is dropped to the C:UsersPublic folder and executed under a new process. This guarantees that the installer behaves as expected, meaning that a regular user is unlikely to notice anything suspicious," the researcher say.
Avast researchers found that the attackers used steganography - code hidden in images - to transfer shellcode to their victims. Upon execution, the malware downloaded a bitmap image file. The researchers note that the download was performed in two HTTP requests, which they say is unusual.
"The first request uses the HEAD method to retrieve the Content-Length, followed by a second GET request to actually download the image. After the picture is downloaded, the malware extracts the encrypted payload," the researchers note. "The hidden data is expected to be up to 0x76C bytes. Starting with the 3rd byte in image data it copies each 4th byte. The resulting data represents an ASCII string of hexadecimal characters which is later decoded into their respective binary values. These bytes are then XOR decrypted using the hardcoded key miat_mg, resulting in a Cobalt-Strike beacon."
The researchers say they observed multiple versions of this backdoored installer, each with slightly modified decryptors. In one of the versions, researchers observed that the XOR decryption was stripped, whereas in other versions, basic anti-analysis tricks were stripped.
In the backdoored installer, researchers also observed basic anti-analysis techniques used in an attempt to avoid detection.
"We observed checks for the number of processors using the GetSystemInfo function, the amount of physical memory using the GlobalMemoryStatusEx function and the disk capacity using the IOCTL_DISK_GET_DRIVE_GEOMETRY IOCTL call. If any of the obtained values are suspiciously low, the malware terminates immediately," researchers note.
While analyzing the attackers’ command and control, researchers checked the malicious web server hxxps://jquery-code.ml, from which Browser_plugin.exe has been downloading.
"The malicious web server looks identical to the legitimate one https://code.jquery.com/; the difference is the certificate. The legitimate server https://code.jquery.com is signed by Sectigo Limited, while the malicious server is signed by Cloudflare, Inc.," the researchers note.
Timeline of Events
Avast researchers say that they discovered the backdoor installer on March 24 and made initial contact on April 8 with Monpass through CERT Mongolia, providing their findings.
On April 20, MonPass made first contact and shared a forensic image of an infected web server with Avast Threat Labs. On April 22, Avast provided details about the incident and findings from the forensics image in a call with MonPass and CERT Mongolia.
After two follow-up emails on May 3 and May 10, MonPass replied June 4, asking for information already provided on April 22, Avast says. So, Avast sent follow-up emails on June 14 and 29, with its last email indicating its plans to publish and including a draft of a blog on the situation for feedback.
On June 29, MonPass responded, saying it had resolved the issues and notified affected customers, Avast says.
Increased Use of Cobalt Strike
Last month, Proofpoint reported that the legitimate security penetration testing tool Cobalt Strike is increasingly being used by threat groups, especially those that are less technically proficient.
Proofpoint researchers say that the number of attacks using Cobalt Strike increased 161% between 2019 and 2020, and the tool remains a high-volume threat in 2021. It's been used in a wide variety of attacks - including the SolarWinds supply chain attack - and for cyberespionage campaigns.
"Cobalt Strike is used by a diverse array of threat actors, and while it is not unusual for cybercriminal and APT actors to leverage similar tooling in their campaigns, Cobalt Strike is unique in that its built-in capabilities enable it to be quickly deployed and operationalized regardless of actor sophistication or access to human or financial resources," Proofpoint said.