Website of Mongolian certificate authority served backdoored client installer
The official website of a Mongolian certification authority (CA) was harboring malware and facilitated downloads of a backdoored client to users.
Researchers from Avast named MonPass as the compromised CA, which was potentially breached up to eight times as eight different web shells and backdoors were present on the CA’s server.
During an analysis conducted between March and April, Avast not only found indicators of compromise due to the web shells and backdoors, but also that a version of the MonPass client, available from February 8, 2021, until March 3, 2021, for download, was malicious.
Avast says that the installer contained Cobalt Strike binaries. Cobalt Strike is a legitimate threat emulation tool for penetration testers that is also abused by threat actors for purposes including malware deployment, data exfiltration, and network activity obfuscation.
The malicious installer, an unsigned PE file, first pulled the legitimate installer version from the MonPass domain and executed the software on a user’s machine to avoid arousing suspicion. However, in the background, an image file was also downloaded and steganography was used to unpack and decrypt hidden code containing a Cobalt Strike beacon for installation on a victim’s machine.
Avast says that additional variants of the malicious package have since been found on VirusTotal.
When it comes to attribution, the researchers say “we’re not able to make attribution of these attacks with an appropriate level of confidence.”
“However, it’s clear that the attackers clearly intended to spread malware to users in Mongolia by compromising a trustworthy source, which in this case is a CA in Mongolia,” Avast added.
MonPass was notified of the researcher’s findings on April 22 through MN CERT/CC. By June 29, MonPass confirmed the issue had been resolved, leading to Avast’s public disclosure.