A suspected nation-state threat actor is believed to be involved in distributing a new malware called Airstalk as part of a supply chain attack.
Palo Alto Networks Unit 42 said it is tracking this cluster under the name CL-STA-1009Here, “CL” stands for cluster and “STA” refers to state-backed motivation.
“Airstalk exploits the AirWatch API for mobile device management (MDM), now called Workspace ONE Unified Endpoint Management,” security researchers Kristopher Russo and Chema Garcia wrote in their analysis. “Using APIs to establish covert command and control (C2) channels primarily through AirWatch functionality and manage custom device attributes and file uploads.”
The malware, which appears as PowerShell and .NET variants, leverages the multi-threaded command-and-control (C2) communication protocol and can capture screenshots and collect cookies, browser history, bookmarks, and screenshots from web browsers. It is believed that the attackers are using stolen certificates to sign some artifacts.
Unit 42 said the .NET variant of Airstalk has more features than the PowerShell version, suggesting it may be an advanced version of the malware.
The PowerShell variant utilizes the “/api/mdm/devices/” endpoint for C2 communication. While the endpoint is designed to retrieve content details for a specific device, the malware uses the API’s custom attributes functionality to act as a dead drop resolver to store information needed to interact with the attacker.
Once launched, the backdoor initializes the connection by sending a “CONNECT” message and waits for a “CONNECTED” message from the server. It then receives various tasks to be performed on the compromised host in the form of “ACTIONS” type messages. The output of the execution is sent back to the attacker using a “RESULT” message.
The backdoor supports seven different actions, including taking screenshots, retrieving cookies from Google Chrome, listing all user Chrome profiles, retrieving browser bookmarks for a particular profile, collecting browser history for a particular Chrome profile, enumerating all files in the user’s directory, and uninstalling from the host.
“Some tasks require large amounts of data or files to be sent back after Airstalk runs,” Unit 42 said. “To do this, the malware uses the AirWatch MDM API’s BLOB functionality to upload the content as a new BLOB.”
The .NET variant of Airstalk mimics the AirWatch Helper utility (‘AirwatchHelper.exe’) while extending its functionality by also targeting the enterprise browsers Microsoft Edge and Island. In addition, it supports three additional message types.
- MISMATCH, to flag version mismatch errors
- DEBUG, for sending debug messages
- For PING, beacon
Additionally, three different execution threads are used, each serving a specific purpose of managing C2 tasks, extracting debug logs, and beaconing to the C2 server. The malware also supports a wide set of commands, one of which does not appear to be implemented yet.
- Screenshot, how to take a screenshot
- UpdateChrome, extract specific Chrome profiles
- FileMap, list the contents of a specific directory
- RunUtility (not implemented)
- EnterpriseChromeProfiles, get available Chrome profiles
- UploadFile, extract specific Chrome artifacts and credentials
- OpenURL, opens a new URL in Chrome
- Uninstall and finish running
- EnterpriseChromeBookmarks, retrieves Chrome bookmarks from a specific user profile
- EnterpriseIslandProfiles, retrieves the available island browser profiles.
- UpdateIsland, extracts specific Island browser profiles
- ExfilAlreadyOpenChrome, dumps all cookies from the current Chrome profile
Interestingly, while the PowerShell variant uses scheduled tasks for persistence, its .NET version has no such mechanism. Unit 42 said some of the .NET variant samples were signed with “possibly stolen” certificates signed by a valid certificate authority (Aoteng Industrial Automation (Langfang) Co., Ltd.), and early iterations featured a compilation timestamp of June 28, 2024.
At this time, it is unclear how the malware was distributed or who was targeted in these attacks. However, the use of MDM-related APIs in C2 and the targeting of enterprise browsers like Island suggests the possibility of supply chain attacks targeting the business process outsourcing (BPO) sector.
“Organizations specializing in BPO have become lucrative targets for both criminals and nation-state actors,” the report said. “Thus, attackers are willing to invest the resources necessary to not only compromise security, but maintain access indefinitely.”
“The evasion techniques employed by this malware allow it to remain undetected in most environments. This is especially true when the malware is running within a third-party vendor’s environment. This is especially disastrous for organizations using BPO, as stolen browser session cookies can potentially provide access to a large number of clients.”
