Chinese LuoYu hackers deploy cyber-espionage malware via app updates


Level 37
Thread author
Top poster
Feb 4, 2016
A Chinese-speaking hacking group known as LuoYu is infecting victims WinDealer information stealer malware deployed by switching legitimate app updates with malicious payloads in man-on-the-side attacks.

To do that, the threat actors actively monitor their targets' network traffic for app update requests linked to popular Asian apps such as QQ, WeChat, and WangWang and replace them with WinDealer installers.

Once deployed, WinDealer helps the attackers search for and siphon large amounts of data from compromised Windows systems, install backdoors to maintain persistence, manipulate files, scan for other devices on the network, and run arbitrary commands.

Instead of using the common hard-coded command-and-control (C2) server info, WinDealer will connect to a random ChinaNet (AS4134) IP address from the Xizang and Guizhou provinces out of a pool of 48,000 IP addresses, according to security researchers at Kaspersky who observed this new delivery method.

Since controlling the entirety of these IP ranges is likely impossible, explanations of how LuoYu is capable of this include the use of compromised routers "on the route to (or inside) AS4134," the use of ISP-level law enforcement tools, or "signals intelligence methods unknown to the general public."