LuoYu, a Chinese-speaking hacking group, is infecting victims with the WinDealer information stealer that installs backdoors to maintain persistence. The stealer performs man-on-the-side attacks.

The man-on-the-side attack

LuoYu has been actively monitoring the targets' network traffic for app update requests of well-known Asian apps (such as QQ, WeChat, and WangWang), and replacing them with WinDealer installers.
  • Man-on-the-side attacks are destructive and require only one condition to attack - the device is connected to the internet. If the attack fails the first time, attackers can repeat the process until they succeed.
  • WinDealer, once deployed, allows the attackers to search and steal large amounts of data from targeted Windows systems. 
  • Instead of using the common hard-coded C2 server, WinDealer connects to a random ChinaNet IP address from the Guizhou and Xizang provinces out of a pool of 48,000 IP addresses.

About LuoYu group

The gang has been targeting Korean and Japanese entities since 2014 and attacking foreign diplomatic organizations in China, the academic community, and the defense and telecommunications industry.
  • Kaspersky's Global Research and Analysis Team (GReAT) spotted occasional infections in other countries, including the Czech Republic, Germany, Austria, the U.S., India, and Russia.
  • Recently, LuoYu has started targeting companies in East Asia and branches based within China. 
  • Further, the group targets almost all platforms such as Windows, macOS, Linux, and Android.

What to do?

Security teams can take several key measures to ensure protection, such as regular antivirus scans, extensive logging to detect anomalies, and installing anti-APT and EDR solutions. Most importantly, engaging with threat intelligence providers offers access to independent, continuously updated, and globally-sourced information on emerging threats.
Cyware Publisher

Publisher

Cyware