According to cybersecurity specialists, unknown cybercriminals hacked the servers of Mongolian Certificate Authority (CA) MonPass and abused the company’s website in order to distribute malware.
The organization analysis that started in April 2021 shows that a public web server hosted by MonPass was breached potentially eight separate times. Avast researchers discovered eight different webshells and backdoors on a CA’s compromised server.
They also found that the MonPass client available for download from 8 February 2021 until 3 March 2021 was backdoored.
The cyberattack started being investigated by the Avast researchers after they discovered the backdoored installer and the implant on one of its customers’ systems.
The malicious installer is an unsigned [Portable Executable] file. It starts by downloading the legitimate version of the installer from the MonPass official website. This legitimate version is dropped to the ‘C:UsersPublic’ folder and executed under a new process. This guarantees that the installer behaves as expected, meaning that a regular user is unlikely to notice anything suspicious.
The malicious installer was created to download the authentic MonPass installer from the official website and implement it, so as to avoid raising suspicion.
At the same time, the hackers leverage steganography to conceal shellcode in a bitmap image file that is fetched by the malicious code. The analysis of the extracted code is a Cobalt Strike beacon.
The company declared that at the moment they are not able to make attribution of these attacks with an appropriate level of confidence.
By compromising a reliable source in Mongolia, the threat actors seem to have concentrated their effort toward compromising entities in this geography.
MonPass was informed of the attack on April 22, after which the certificate authority took measures to deal with their impacted server and notify those who downloaded the backdoored client.
Anyone that has downloaded the MonPass client between 8 February 2021 until 3 March 2021 is urged by the cybersecurity researchers to take steps to look for and remove the client and the backdoor it installed.