A suspected Chinese state-sponsored threat actor has been deploying an AirWatch API-abusing malware family in supply chain attacks, Palo Alto Networks reports.
The APT, tracked as CL-STA-1009, has been targeting business process outsourcing (BPO) entities, which typically have access to critical business systems within their clients’ networks.
According to Palo Alto Networks, organizations specializing in BPO have been increasingly targeted by cybercriminals and state-sponsored hackers. These entities can be abused in supply chain attacks, as gateways to multiple target environments.
“BPOs typically leverage the economy of scale to have highly specialized talent service multiple clients concurrently. […] Attackers are willing to invest generously in the resources necessary to not only compromise them but maintain access indefinitely,” the cybersecurity firm notes.
As part of the CL-STA-1009 attacks observed by Palo Alto Networks, two variants of a malware family dubbed Airstalk were seen, one written in PowerShell and the other written in .NET.
Both variants abuse the AirWatch API for mobile device management (MDM) to establish a covert communication channel with the command-and-control (C&C) server, employ a multi-threaded communication protocol, and were signed using likely stolen certificates.
The PowerShell iteration of Airstalk can receive commands from the C&C to take screenshots, list files in the user directory, list Chrome profiles, and harvest data from Chrome, including cookies, bookmarks, and browser history.
The .NET variant of Airstalk uses a slightly different communications protocol and has more capabilities, targeting Microsoft Edge and Island Browser in addition to Chrome. In addition to stealing browser data, it can open URLs in Chrome.
The malware employs various defense techniques, such as the use of a revoked certificate likely issued to a legitimate organization last year. The malware’s developer altered the samples’ timestamps so they would remain undetected within BPO organizations’ networks.
“CL-STA-1009 is a threat activity cluster representing activity from a suspected nation-state actor. This cluster is associated with Airstalk malware, which we assess with medium confidence adversaries used in supply chain attacks,” Palo Alto Networks says.
Related: Chinese APT Exploits Unpatched Windows Flaw in Recent Attacks
Related: Russian APT Switches to New Backdoor After Malware Exposed by Researchers
Related: Lumma Stealer Activity Drops After Doxxing
Related: CISA Adds Exploited XWiki, VMware Flaws to KEV Catalog
