A suspected nation state threat actor has been linked to the distribution of a new malware called Airstalk. This distribution is believed to be part of a likely supply chain attack targeting mobile device management (MDM) systems.
Covert Command and Control Channel
Palo Alto Networks Unit 42 is tracking this threat under the name CL-STA-1009, with "STA" referring to a suspected state backed motivation.
Airstalk dangerously misuses the AirWatch API for mobile device management, which is now known as Workspace ONE Unified Endpoint Management. Security researchers noted that the malware uses the API to establish a covert command and control (C2) channel. It primarily uses the AirWatch feature for managing custom device attributes and file uploads to communicate with the attacker.
The malware appears in both PowerShell and .NET variants. It uses a multi threaded C2 communication protocol and is capable of capturing screenshots, harvesting cookies, browser history, bookmarks, and other sensitive information from web browsers. The threat actors are thought to be using a stolen certificate to sign some of the malicious files.
Variant Capabilities
The PowerShell variant uses the /api/mdm/devices/ endpoint for C2 communications. While this endpoint is intended to fetch content details of a specific device, the malware exploits the custom attributes feature to use it as a dead drop resolver for storing interaction information. Once launched, the backdoor sends a "CONNECT" message, awaits a "CONNECTED" server message, and then receives tasks in the form of an "ACTIONS" message.
The PowerShell variant supports seven actions, including taking a screenshot, getting cookies from Google Chrome, listing all user Chrome profiles, and enumerating all files within the user's directory. To exfiltrate large amounts of data, the malware utilizes the "blobs" feature of the AirWatch MDM API to upload content as a new blob.
The .NET variant of Airstalk features even more capabilities. It also targets Microsoft Edge and Island, an enterprise focused browser, while attempting to mimic an AirWatch Helper utility. The .NET version supports additional message types for version mismatch errors, debugging, and beaconing. It also uses three different execution threads to manage C2 tasks, exfiltrate the debug log, and beacon to the server. Some samples of the .NET variant are signed with a likely stolen certificate.
Unit 42 believes the use of MDM related APIs for C2 and the targeting of enterprise browsers like Island strongly suggests a potential supply chain attack targeting the business process outsourcing (BPO) sector. Organizations specializing in BPO have become lucrative targets for both criminal and nation state attackers.
The evasion techniques employed by this malware allow it to remain undetected in most environments. This is particularly disastrous for organizations that use BPO because stolen browser session cookies could grant unauthorized access to a large number of their clients.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
