Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Hackers Compromise Mongolian Certificate Authority to Spread Malware

An unknown threat actor has compromised the servers of Mongolian certificate authority (CA) MonPass and abused the organization’s website for malware distribution, according to security researchers at Avast.

An unknown threat actor has compromised the servers of Mongolian certificate authority (CA) MonPass and abused the organization’s website for malware distribution, according to security researchers at Avast.

A major CA in East Asia, MonPass appears to have been breached at least six months ago, with the attackers returning to a compromised public web server approximately eight times.

According to Avast, the attackers backdoored installers distributed through the organization’s website with the Cobalt Strike beacon. Even the official MonPass client was compromised, with the infected binaries distributed between February 8 and March 3, 2021.

The security researchers identified eight different webshelles and backdoors on the compromised public web server.  The company declined to attribute the attacks to a known threat actor, but said that some of the observed technical details and IOCs overlap with those included by NTT Security Threat Intelligence researchers in a report on the China-linked Winnti Group.

The malicious installer was designed to download the legitimate MonPass installer from the official website and execute it, so as to avoid raising suspicion. At the same time, the malware would fetch a bitmap image file containing code hidden in it using steganography. The extracted code is a Cobalt Strike beacon.

By compromising a trustworthy source in Mongolia, the attackers appear to have concentrated their effort toward compromising entities in this geography. MonPass was informed of the compromise and has taken steps to secure its servers.

The security researchers recommend that all those who downloaded the MonPass client between February 8 and March 3, 2021, remove the client and check their systems for the backdoor it might have fetched and installed.

Related: SonicWall Zero-Day Exploited by Ransomware Group Before It Was Patched

Related: Russian ‘Evil Corp’ Cybercriminals Possibly Evolved Into Cyberspies

Related: SolarWinds Hackers Impersonate U.S. Government Agency in New Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Nation-State

The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.