Pierluigi Paganini July 04, 2021

Threat actors compromised the servers of Mongolian certificate authority (CA) MonPass and used its website to spread malware.

Hackers compromised the servers of the Mongolian certificate authority (CA) MonPass and used its website to spread malware, reported Avast researchers. According to the experts, the security breach took place at least six months ago, MonPass was breached potentially eight separate times and Avast researchers found eight different webshells and backdoors on a CA’s compromised server.

A major CA in East Asia, MonPass appears to have been breached at least six months ago, with the attackers returning to a compromised public webserver approximately eight times.

“We discovered an installer downloaded from the official website of MonPass, a major certification authority (CA) in Mongolia in East Asia that was backdoored with Cobalt Strike binaries.” states the analysis published by Avast.

Once compromised the website, the attackers distributed installers backdoored with the Cobalt Strike beacon. Experts also discovered that tainted versions of the official MonPass client were distributed between February 8 and March 3, 2021.

The security firm did not attribute the attack to a specific threat actor, however, experts noticed overlaps of indicators of compromise (IoCs) associated with this attack with those shared by NTT Security Threat Intelligence experts that investigated cyber espionage a campaign attributed to the China-linked Winnti Group.

The malicious installer is an unsigned PE file that first downloads the legitimate version of the installer from the MonPass official website. Once the legitimate version is dropped, it is executed under a new process to avoid raising any suspicion.

At the same time, the attackers leverage steganography to hide shellcode in a bitmap image file that is fetched by the malicious code. The analysis of the extracted code is a Cobalt Strike beacon.

“The download is performed slightly unusually in two HTTP requests. The first request uses the HEAD method to retrieve the Content-Length, followed by a second GET request to actually download the image. After the picture is downloaded, the malware extracts the encrypted payload” continues Avast.

Avast researchers found additional variants of the malware on VirusTotal, in some cases sample contained anti-analysis techniques using the same XOR decryption and also contained similar C2 server addresses 

“At this time, we’re not able to make attribution of these attacks with an appropriate level of confidence. However it’s clear that the attackers clearly intended to spread malware to users in Mongolia by compromising a trustworthy source, which in this case is a CA in Mongolia.” concludes the analysis.

“Most importantly, anyone that has downloaded the MonPass client between 8 February 2021 until 3 March 2021 should take steps to look for and remove the client and the backdoor it installed.”

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, MonPass)

[adrotate banner=”5″]

[adrotate banner=”13″]