Nation-State Hackers Exploit AirWatch API in Sophisticated Airstalk Malware Attack
In a recent cybersecurity development, a suspected nation-state threat actor has been identified deploying a novel malware named Airstalk, potentially through a supply chain attack. Palo Alto Networks’ Unit 42 is monitoring this activity under the designation CL-STA-1009, where CL signifies cluster and STA indicates state-backed motivation.
Airstalk is notable for its exploitation of the AirWatch API, now known as Workspace ONE Unified Endpoint Management, to establish a covert command-and-control (C2) channel. This misuse involves leveraging the API’s capabilities to manage custom device attributes and facilitate file uploads, effectively turning legitimate management features into conduits for malicious activity.
The malware exists in both PowerShell and .NET variants, with the latter exhibiting more advanced functionalities. These include multi-threaded C2 communication protocols, screenshot capture, and the extraction of cookies, browser history, and bookmarks from web browsers. Evidence suggests that the threat actors may be utilizing a stolen certificate to sign some of these artifacts, enhancing their credibility and evasion capabilities.
PowerShell Variant Analysis:
The PowerShell version of Airstalk utilizes the /api/mdm/devices/ endpoint for C2 communications. This endpoint, typically used to retrieve device content details, is repurposed by the malware to store information necessary for attacker interaction via custom attributes.
Upon execution, the backdoor initiates contact by sending a CONNECT message and awaits a CONNECTED response from the server. It then processes various tasks assigned by the attacker, encapsulated in ACTIONS messages. The results of these tasks are transmitted back using RESULT messages.
The backdoor supports seven distinct actions:
1. Capturing a screenshot.
2. Retrieving cookies from Google Chrome.
3. Listing all user Chrome profiles.
4. Obtaining browser bookmarks from a specified profile.
5. Collecting browser history from a specified Chrome profile.
6. Enumerating all files within the user’s directory.
7. Uninstalling itself from the host system.
For tasks requiring substantial data transfer, the malware employs the AirWatch MDM API’s blob feature to upload content as new blobs, thereby facilitating efficient exfiltration.
.NET Variant Analysis:
The .NET iteration of Airstalk extends its reach by targeting additional browsers, including Microsoft Edge and Island, an enterprise-focused browser. It masquerades as an AirWatch Helper utility (AirwatchHelper.exe) to evade detection.
This variant introduces three additional message types:
– MISMATCH: Indicates version mismatches.
– DEBUG: Transmits debug messages.
– PING: Serves as a beaconing mechanism.
The .NET version operates through three distinct execution threads, each dedicated to managing C2 tasks, exfiltrating debug logs, and beaconing to the C2 server, respectively. It supports a broader array of commands, including:
1. Screenshot: Captures a screenshot.
2. UpdateChrome: Exfiltrates data from a specific Chrome profile.
3. FileMap: Lists contents of a specified directory.
4. RunUtility: (Not implemented)
5. EnterpriseChromeProfiles: Fetches available Chrome profiles.
6. UploadFile: Exfiltrates specific Chrome artifacts and credentials.
7. OpenURL: Opens a new URL in Chrome.
8. Uninstall: Terminates its execution.
9. EnterpriseChromeBookmarks: Retrieves Chrome bookmarks from a specified user profile.
10. EnterpriseIslandProfile: (Functionality not detailed)
Implications and Recommendations:
The deployment of Airstalk underscores the evolving tactics of nation-state actors in leveraging legitimate management tools for malicious purposes. By exploiting the AirWatch API, the attackers have devised a stealthy method to infiltrate and control target systems, complicating detection and mitigation efforts.
Organizations utilizing Workspace ONE Unified Endpoint Management should take the following steps:
1. Audit API Usage: Regularly review API interactions to identify unauthorized or suspicious activities.
2. Enhance Monitoring: Implement advanced monitoring solutions capable of detecting anomalies in system behavior and network traffic.
3. Update Security Protocols: Ensure that all security measures are up-to-date and capable of addressing the latest threats.
4. Employee Training: Educate staff on recognizing phishing attempts and other common attack vectors to reduce the risk of initial compromise.
By adopting these proactive measures, organizations can bolster their defenses against sophisticated threats like Airstalk and safeguard their critical assets.
