WinDealer: spyware with a peculiar delivery mechanism

Our experts studied the WinDealer malware created by the LuoYu APT group.

The LuoYu APT group distributes and controls the WinDealer malware through a man-on-the-side attack.

Kaspersky experts have studied the WinDealer malware created by the LuoYu APT group. The most interesting finding is that the attackers have apparently mastered the man-on-the-side attack method and are successfully using it both to deliver malware and to control already infected computers.

What is a man-on-the-side attack and how do WinDealer’s operators use it?

A man-on-the-side attack implies that the attacker somehow controls the communication channel, which allows him to read the traffic and inject arbitrary messages into normal data exchange.

Here’s an example: attackers intercept an update request from completely legitimate software and swap the update file with a weaponized one. Apparently, this is how WinDealer is distributed.

A similar trick is used by attackers to issue commands to the malware on an infected computer. To make it harder for security researchers to find the C&C server, the malware doesn’t contain its exact address. Instead, it tries to access a random IP address from a predefined range. Attackers then intercept the request and respond to it. In some cases, WinDealer tries to access an address that doesn’t even exist, but thanks to the man-on-the-side method, it still receives a response.

According to our experts, in order to successfully use this trick, attackers need constant access to the routers of the entire subnet, or to some advanced tools at the internet-provider level.

Who are the WinDealer’s targets?

The vast majority of WinDealer’s targets are located in China: they are foreign diplomatic organizations, members of the academic community, or companies involved in the defense, logistics or telecommunications business. However, sometimes the LuoYu APT group also infects targets in other countries: Austria, the Czech Republic, Germany, India, Russia, and the United States. In recent months, they’ve also become more interested in businesses form other East Asian countries and their offices located in China.

What WinDealer is capable of

A detailed technical analysis of both the malware itself and its delivery mechanism can be found in a post on the Securelist blog. In short, WinDealer has the functionality of modern spyware. It can:

  • Manipulate files and the file system (open, write and delete files, collect data about directories and disks);
  • Collect information about hardware, network configuration, processes, keyboard layout, installed applications;
  • Download and upload arbitrary files;
  • Execute arbitrary commands;
  • Search through text files and MS Office documents;
  • Take screenshots;
  • Scan the local network;
  • Support the backdoor function;
  • Collect data about available Wi-Fi networks (at least one of the variants of malware found by our experts is capable of doing so).

How to stay safe

Unfortunately, man-on-the-side attacks are extremely difficult to protect against at the network level. In theory, a constant VPN connection can help, but it’s not always available. Therefore, in order to exclude spyware infection, it’s necessary to provide every device that has internet access with a reliable security solution. In addition, the EDR-class solutions can help detect anomalies and stop an attack at an early stage.