Kaspersky researchers have discovered that malware dubbed WinDealer, spread by Chinese-speaking Advanced Persistent Threat (APT) actor LuoYu, has an ability to perform intrusions through a man-on-the-side attack.

This development allows the actor to modify network traffic in-transit to insert malicious payloads. Such attacks are especially dangerous and devastating because they do not require any interaction with the target to lead to a successful infection.

Following the findings by TeamT5, Kaspersky researchers discovered a new distribution method applied by operators to spread the WinDealer malware.

Specifically, they used a man-on-the-side attack to read traffic and insert new messages. The general concept of a man-on-the-side attack is that when the attacker sees a request for a specific resource on the network (through its interception capabilities or strategic position on the ISP’s network), it tries to reply to the victim faster than the legitimate server.

If the attacker wins the ‘race’, the target machine will then use the attacker-supplied data instead of the normal data. Even if the attackers don’t win most ‘races’, they can try again until they succeed, guaranteeing that they will eventually infect most devices.

Following an attack, the target device receives a spyware application that can collect an impressive amount of information. The attackers are able to view and download any files stored on the device and run a keyword search on all documents. Generally, LuoYu targets foreign diplomatic organisations established in China and members of the academic community as well as defense, logistics and telecommunications companies. The actor uses WinDealer to attack Windows devices.

Typically, malware contains a hardcoded Command and Control server from which the malicious operator controls the entire system. With information about this server, it’s possible to block the IP-address of the machines that the malware interacts with, neutralising the threat.

However, WinDealer relies on a complex IP-generation algorithm to determine which machine to contact. This includes a range of 48 000 IP addresses, making it almost impossible for the operator to control even a small amount of the addresses.

The only way to explain this seemingly impossible network behaviour is by postulating that the attackers have significant interception capabilities over this IP range and can even read network packets that reach no destination.

The man-on-the-side attack is particularly devastating because it does not require any interaction with the target to lead to a successful infection: simply having a machine connected to the Internet is enough. Moreover, there is nothing users can do to protect themselves, apart from routing traffic through another network. This can be done with a VPN, but these may not be an option, depending on the territory, and would typically not be available to Chinese citizens.

The vast majority of LuoYu victims are located in China, so Kaspersky experts believe that the LuoYu APT is predominantly focused on Chinese-speaking victims and organisations related to China. However, Kaspersky researchers have also noticed attacks in other countries, such as Germany, Austria, the United States, Czech Republic, Russia and India.

“LuoYu is an extremely sophisticated threat actor able to leverage functionality available only to the most mature attackers,” comments Suguru Ishimaru, senior security researcher at Kaspersky’s Global Research and Analysis Team (GReAT). “We can only speculate as to how they were able to develop such capabilities. Man-on-the-side-attacks are extremely destructive as the only condition needed to attack a device is for it to be connected to the Internet.

“Even if the attack fails the first time, attackers can repeat the process over and over again until they succeed. This is how they can carry out extremely dangerous and successful spying attacks on their victims, which typically include diplomats, scientists and employees of other key sectors.

“No matter how the attack has been carried out, the only way for potential victims to defend themselves is to remain extremely vigilant and have robust security procedures, such as regular antivirus scans, analysis of outbound network traffic and extensive logging to detect anomalies.”