Website of Mongolian certificate authority served backdoored client installer | ZDNet

The official website of a Mongolian certification authority (CA) was harboring malware and facilitated downloads of a backdoored client to users. 

Researchers from Avast named MonPass as the compromised CA, which was potentially breached up to eight times as eight different web shells and backdoors were present on the CA’s server. 

During an analysis conducted between March and April, Avast not only found indicators of compromise due to the web shells and backdoors, but also that a version of the MonPass client, available from February 8, 2021, until March 3, 2021, for download, was malicious. 

Avast says that the installer contained Cobalt Strike binaries. Cobalt Strike is a legitimate threat emulation tool for penetration testers that is also abused by threat actors for purposes including malware deployment, data exfiltration, and network activity obfuscation. 

The malicious installer, an unsigned PE file, first pulled the legitimate installer version from the MonPass domain and executed the software on a user’s machine to avoid arousing suspicion. However, in the background, an image file was also downloaded and steganography was used to unpack and decrypt hidden code containing a Cobalt Strike beacon for installation on a victim’s machine. 

Avast says that additional variants of the malicious package have since been found on VirusTotal. 

When it comes to attribution, the researchers say “we’re not able to make attribution of these attacks with an appropriate level of confidence.”

“However, it’s clear that the attackers clearly intended to spread malware to users in Mongolia by compromising a trustworthy source, which in this case is a CA in Mongolia,” Avast added. 

MonPass was notified of the researcher’s findings on April 22 through MN CERT/CC. By June 29, MonPass confirmed the issue had been resolved, leading to Avast’s public disclosure. 

Anyone that downloaded MonPass client software between February 8 and March 3 should remove the client and its associated backdoor. The latest version available is v.1.21.1. 

MonPass told ZDNet that impacted clients were informed of the security issue and the company “remotely scanned their computers to ensure that there was no threat.” 

“These attacks do not affect our public key infrastructure system, our system is completely secure, and it is operating normally behind multiple layers of protection,” the company says.

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0


For all the latest Technology News Click Here 

 For the latest news and updates, follow us on Google News

Read original article here

Denial of responsibility! TechNewsBoy.com is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – [email protected]. The content will be deleted within 24 hours.