Extremely powerful malware, distributed immune to most cybersecurity measures (opens in a new tab), has been discovered infecting Chinese figures.

Kaspersky cybersecurity researchers have discovered malware they call WinDealer, distributed and used by a Chinese advanced persistent threat (APT) actor named LuoYu. WinDealer, the researchers say, can collect "an impressive amount" of information. You can view and download all files stored on your device, as well as perform a keyword search on all documents.

To deliver malware to the target endpoint (opens in a new tab), attackers perform a man-on-the-side attack, essentially hijacking network traffic in transit.

Race with the waiter

When the victim tries to access a certain resource on the Internet (for example, to open their LinkedIn account), they must send a request to the server to open the page. This request is the type of traffic that attackers can intercept and read, and then attempt to deliver malicious content before the server responds with the legitimate site.

Kaspersky describes the method as a "race" with the legitimate server, with the only difference being that the attacker has as many attempts to deliver malicious content as he wants. To successfully infect a target endpoint, the attacker does not need any interaction with the victim, whoever it is.

The targets are mostly high-level organizations and individuals in China, the researchers further say. Foreign diplomatic organizations established in China, members of the academic community, defense, logistics and telecommunications companies are listed as potential targets. In addition to China, Kaspersky researchers also mentioned targets in Germany, Austria, the United States, the Czech Republic, Russia, and India.

All targets use Windows as the operating system of choice.

In addition to being difficult to detect, malware (opens in a new tab) is also difficult to block. Typically, this type of malware contacts a command and control (C2) server for instructions, and simply blocking the server's IP address would be enough to neutralize the threat. WinDealer, on the other hand, relies on a complex algorithm that generates IP addresses (48.000, according to Kaspersky), which makes blocking impossible.

The only way to defend against such an attack is to route the traffic through another network, for example with a VPN. However, having a VPN in China is easier said than done.

Share This