The LuoYu hackers spread an espionage campaign through app updates

June 8, 2022
LuoYu Chinese Hackers Espionage Campaign App Updates

LuoYu, a China-based hacking group, deployed the WinDealer infostealer malware by swapping legit applications updates with compromised payloads to organise a cyberespionage campaign.

Reports revealed that the group monitored its target’s network traffic for application update requests connected to well known Asian apps such as WeChat, WangWang, and QQ. The threat actors then replace the update for these apps with the WinDealer malware to infect their targets.

If WinDealer is successfully injected into the target’s system, it can gather massive amounts of data from the compromised OS. It can also install backdoors and control files, run arbitrary commands, and scan for other linked devices.

Moreover, WinDealer will connect to a random ChinaNet IP address from the Guizhou and Xizang provinces out of nearly 50,000 IP addresses. They have been using this unusual strategy instead of standard command-and-control server information.

 

LuoYu has transitioned to abusing the automatic update feature of their targeted apps after the watering hole attacks became more evident to cybersecurity researchers.

 

According to the researchers, LuoYu’s exploitation of the automatic update feature is extremely destructive since it only requires its target to connect its device to the internet. Moreover, this attack can be repeated by the threat actors, which is very threatening as they can retry their campaign even if it fails on its first try.

Additionally, the method of attack will not be very essential since the only way for targets to mitigate the effects of this exploit is to be very vigilant when updating their apps. Users must also have a competent security procedure, such as constant antivirus scans, extensive logging to spot malicious activities, and careful analysis of outbound network traffic.

This unpopular malicious threat group has been observed by researchers attacking multiple systems such as macOS, Android, and Linux devices with ReverseWindow and SpyDealer malware. LuoYu has also started targeting different companies in East Asia and other foreign companies based in China.

As of now, it is still a mystery for researchers on how LuoYu develop these kinds of strategies since these capabilities are only for matured and well-funded threat groups. Therefore, even experts and analysts can speculate on how LuoYu operators form their attacks.

About the author

Leave a Reply