An extremely potent malware, delivered in a way that’s immune to most cybersecurity(opens in new tab) measures, was discovered infecting high-profile Chinese individuals.
Cybersecurity researchers from Kaspersky have discovered malware they call WinDealer, distributed and used by a Chinese Advanced Persistent Threat (APT) actor called LuoYu. WinDealer, the researchers say, is capable of collecting “an impressive amount” of information. It can view and download any files stored on the device, as well as run a keyword search on all the documents.
To deliver the malware to the target endpoint(opens in new tab), the attackers perform a man-on-the-side attack, essentially hijacking in-transit network traffic.
Racing with the server
When the victim tries to access a certain resource on the internet (for example, open their LinkedIn account), they need to send a request to the server, to open the page. This request is the type of traffic that the attackers can intercept and read, and then try to deliver malicious content before the server responds with the legitimate site.
Kaspersky describes the method as a “race” with the legitimate server, the only difference being – the attacker has as many attempts to deliver malicious content as they want. In order to successfully infect a target endpoint, the attacker needs no interaction with the victim, whatsoever.
An extremely potent malware, delivered in a way that’s immune to most cybersecurity(opens in new tab) measures, was discovered infecting high-profile Chinese individuals.
Cybersecurity researchers from Kaspersky have discovered malware they call WinDealer, distributed and used by a Chinese Advanced Persistent Threat (APT) actor called LuoYu. WinDealer, the researchers say, is capable of collecting “an impressive amount” of information. It can view and download any files stored on the device, as well as run a keyword search on all the documents.
To deliver the malware to the target endpoint(opens in new tab), the attackers perform a man-on-the-side attack, essentially hijacking in-transit network traffic.
Racing with the server
When the victim tries to access a certain resource on the internet (for example, open their LinkedIn account), they need to send a request to the server, to open the page. This request is the type of traffic that the attackers can intercept and read, and then try to deliver malicious content before the server responds with the legitimate site.
Kaspersky describes the method as a “race” with the legitimate server, the only difference being – the attacker has as many attempts to deliver malicious content as they want. In order to successfully infect a target endpoint, the attacker needs no interaction with the victim, whatsoever.