Hackergroup WinDealer Backdoor

A sophisticated Chinese APT group, which is tracked as LuoYu, has been detected recently by the security experts at Kaspersky Lab. A malicious Windows tool named WinDealer was observed being used by this Chinese APT group.

The malicious Windows tool, WinDealer is primarily spread through the stealthy malicious mechanism known as a man-on-the-side attack by placing the malicious payloads in place of legitimate app updates.

Threat actors use this form of propagation to monitor the network traffic of their target to determine whether applications linked to popular Asian social apps are requesting app updates. 

Once they find the legitmate app update, they immediately replace the update with malicious WinDealer installers.

Capabilities offered by WinDealer

When WinDealer is deployed, it assists attackers in their attacks and provides multiple sophisticated capabilities. And here we have mentioned all the capabilities offered by WinDealer:-

  • Find large amounts of data by searching a database on the compromised system.
  • Extract massive amounts of data by siphoning it from the compromised system.
  • Ensure the persistence of the attack by installing backdoors. 
  • Manipulate files.
  • Collecting hardware details.
  • Network configuration and/or keyboard layout.
  • Listing running processes.
  • Installed applications and configuration files of popular messaging apps (Skype, QQ, WeChat and Wangwang).
  • Screenshot capture.
  • Network discovery via ping scan.
  • Look for other devices on the network that can be exploited.
  • Run and execute arbitrary commands.
  • Download and upload of arbitrary files.

Technical Analysis

Since 2008, LuoYu has been operating in China, and it has mainly focused on Chinese targets like:-

  • Foreign diplomatic orgs established in the country
  • Members of the academic community
  • Companies from the defense
  • Logistics
  • Telecommunications sectors

The WinDealer server selects a random IP address from between 48,000 IP addresses provided by ChinaNet (AS4134) from the Xizang and Guizhou provinces and connects to it.

Here’s what Kaspersky senior security researcher Suguru Ishimaru stated:-

“Man-on-the-side-attacks are extremely destructive as the only condition needed to attack a device is for it to be connected to the internet. No matter how the attack has been carried out, the only way for potential victims to defend themselves is to remain extremely vigilant and have robust security procedures.”

Moreover, GReAT (Global Research and Analysis Team) from Kaspersky has also detected some infections in other countries, including:-

  • Germany
  • Austria
  • The United States
  • The Czech Republic
  • Russia
  • India

The operators of LuoYu APT group have previously been observed to target not only Windows devices using WinDealer, but also macOS, Linux, and Android devices as well, with malware called Demsty and SpyDealer.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.