LuoYu, a Chinese-speaking hacking group, is infecting victims with the WinDealer information stealer that installs backdoors to maintain persistence. The stealer performs man-on-the-side attacks.
WinDealer
A malicious Windows tool named WinDealer was observed being used by this Chinese APT group.
The malicious Windows tool, WinDealer is primarily spread through the stealthy malicious mechanism known as a man-on-the-side attack by placing the malicious payloads in place of legitimate app updates.
Threat actors use this form of propagation to monitor the network traffic of their target to determine whether applications linked to popular Asian social apps are requesting app updates.
Once they find the legitimate app update, they immediately replace the update with malicious WinDealer installers. It is very hard to believe that an attacker would be able to control the 48,000 IP addresses of the aforementioned IP ranges, or even a significant portion of them.
Capabilities of the malware
Following are the capabilities of the WinDealer malware
- Find large amounts of data by searching a database on the compromised system.
- Extract massive amounts of data by siphoning it from the compromised system.
- Ensure the persistence of the attack by installing backdoors.
- Manipulate files.
- Collecting hardware details.
- Network configuration and/or keyboard layout.
- Listing running processes.
- Installed applications and configuration files of popular messaging apps (Skype, QQ, WeChat and Wangwang).
- Screenshot capture.
- Network discovery via ping scan
Follow us for more, Facebook, Twitter, LinkedIn and Instagram
File Hash
- ce65092fe9959cc0ee5a8408987e3cd4
- 0c8663bf912ef4d69a1473597925feeb
- 1bd4911ea9eba86f7745f2c1a45bc01b
Leave A Comment