A suspected nation-state threat actor has been linked to the distribution of a new malware called Airstalk as part of a likely supply chain attack.
Palo Alto Networks Unit 42 said it’s tracking the cluster under the moniker CL-STA-1009, where “CL” stands for cluster and “STA” refers to state-backed motivation.
“Airstalk misuses the AirWatch API for mobile device management (MDM), which is now called Workspace ONE Unified Endpoint Management,” security researchers Kristopher Russo and Chema Garcia said in an analysis. “It uses the API to establish a covert command-and-control (C2) channel, primarily through the AirWatch feature to manage custom device attributes and file uploads.”
The malware, which appears in PowerShell and .NET variants, makes use of a multi-threaded command-and-control (C2) communication protocol and is capable of capturing screenshots and harvesting cookies, browser history, bookmarks, and screenshots from web browsers. It’s believed that the threat actors are leveraging a stolen certificate to sign some of the artifacts.
Unit 42 said the .NET variant of Airstalk is equipped with more capabilities than its PowerShell counterpart, suggesting it could be an advanced version of the malware.
The PowerShell variant, for its part, utilizes the “/api/mdm/devices/” endpoint for C2 communications. While the endpoint is designed to fetch content details of a particular device, the malware uses the custom attributes feature in the API to use it as a dead drop resolver for storing information necessary for interacting with the attacker.
Once launched, the backdoor initializes contact by sending a “CONNECT” message and awaits a “CONNECTED” message from the server. It then receives various tasks to be executed on the compromised host in the form of a message of type “ACTIONS.” The output of the execution is sent back to the threat actor using a “RESULT” message.
The backdoor supports seven different ACTIONS, including taking a screenshot, getting cookies from Google Chrome, listing all user Chrome profiles, obtaining browser bookmarks of a given profile, collecting the browser history of a given Chrome profile, enumerating all files within the user’s directory, and uninstalling itself from the host.
“Some tasks require sending back a large amount of data or files after Airstalk is executed,” Unit 42 said. “To do so, the malware uses the blobs feature of the AirWatch MDM API to upload the content as a new blob.”
The .NET variant of Airstalk expands on the capabilities by also targeting Microsoft Edge and Island, an enterprise-focused browser, while attempting to mimic an AirWatch Helper utility (“AirwatchHelper.exe”). Furthermore, it supports three more message types –
- MISMATCH, for flagging version mismatch errors
- DEBUG, for sending debug messages
- PING, for beaconing
In addition, it uses three different execution threads, each of which serves a unique purpose: to manage C2 tasks, exfiltrate the debug log, and beacon to the C2 server. The malware also supports a broader set of commands, although one of them appears not to have been implemented yet –
- Screenshot, to take a screenshot
- UpdateChrome, to exfiltrate a specific Chrome profile
- FileMap, to list the contents of the specific directory
- RunUtility (not implemented)
- EnterpriseChromeProfiles, to fetch available Chrome profiles
- UploadFile, to exfiltrate specific Chrome artifacts and credentials
- OpenURL, to open a new URL in Chrome
- Uninstall, to finish the execution
- EnterpriseChromeBookmarks, to fetch Chrome bookmarks from a specific user profile
- EnterpriseIslandProfiles, to fetch available Island browser profiles
- UpdateIsland, to exfiltrate a specific Island browser profile
- ExfilAlreadyOpenChrome, to dump all cookies from the current Chrome profile
Interestingly, while the PowerShell variant uses a scheduled task for persistence, its .NET version lacks such a mechanism. Unit 42 said some of the .NET variant samples are signed with a “likely stolen” certificate signed by a valid certificate authority (Aoteng Industrial Automation (Langfang) Co., Ltd.), with early iterations featuring a compilation timestamp of June 28, 2024.
It’s currently not known how the malware is distributed, or who may have been targeted in these attacks. But the use of MDM-related APIs for C2 and the targeting of enterprise browsers like Island suggest the possibility of a supply chain attack targeting the business process outsourcing (BPO) sector.
“Organizations specializing in BPO have become lucrative targets for both criminal and nation-state attackers,” it said. “Attackers are willing to invest generously in the resources necessary to not only compromise them but maintain access indefinitely.”
“The evasion techniques employed by this malware allow it to remain undetected in most environments. This is particularly true if the malware is running within a third-party vendor’s environment. This is particularly disastrous for organizations that use BPO because stolen browser session cookies could allow access to a large number of their clients.”
