A lesser-known Chinese-speaking cybercriminal group is carrying out attack operations that deploy an information-stealing malware onto the breached devices. The hackers from the LuoYu group intercept the updates for legitimate apps and switch them with malicious payloads in what is known as man-on-the-side attacks. In order for the infection to be successful, the threat actors actively monitor the network traffic of their chosen victims. When a request for an app update related to popular software products in the Asian market such as QQ, Wanga Wang, or WeChat is observed, the LuoYu hackers substitute them with the installers for the WInDealer malware.
Upon being executed on the victim's Windows system, WinDealer will allow the attackers to perform a wide range of intrusive and malicious actions. One of the primary functionalities of the threat is related to the harvesting and subsequent exfiltration of confidential and sensitive data. However, the hackers can also rely on WinDealer to install more specialized backdoor threats in order to guarantee their persistence on the device. WinDealer can manipulate the file system, scan for additional devices connected to the same network, or run arbitrary commands.
One peculiar characteristic of the threat is the way it communicates with its Command-and-Control (C2, C&C) server. Instead of using a hard-coded C2 server, the LuoYu cybercriminals have created a pool of 48,000 IP addresses from the Xizang and Guizhou Chinese provinces. The threat will connect to a random ChinaNET (AS4134) IP address from among that pool. The cybersecurity researchers at Kaspersky who released the details about LuoYu and WinDealer believe that the hackers are capable of using such a technique thanks to having access to compromise routers inside AS4134 or by utilizing ISP-level law enforcement tools. Another possibility is that the threat actors have internal methods that are still unknown to the general public.