A Chinese-speaking hacker organization known as LuoYu infects victims with WinDealer information stealer malware by swapping genuine software updates with harmful payloads in man-on-the-side attacks. To do this, the threat actors regularly monitor their targets’ network traffic for app update requests associated with popular Asian apps like QQ, WeChat, and WangWang, and substitute them with WinDealer installers.
Once installed, WinDealer aids attackers in searching for and siphoning massive quantities of data from infected Windows PCs, installing backdoors to sustain persistence, manipulating files, scanning for additional network devices, and running arbitrary instructions. According to security experts at Kaspersky, WinDealer would connect to a random ChinaNet (AS4134) IP address from the Xizang and Guizhou provinces out of a pool of 48,000 IP addresses instead of employing the standard hard-coded command-and-control (C2) server details.
Since controlling all of these IP ranges is unlikely, observations on how LuoYu can do so include the usage of hacked routers “on the route to (or inside) AS4134,” the use of ISP-level law enforcement tools, or “signals intelligence methods unknown to the general public.” LuoYu has shifted to abusing the automatic update mechanism of its victims’ applications after previously employing hacked local news sites as infection vectors in easier-to-pull-off watering-hole operations.
“Man-on-the-side-attacks are extremely destructive, as the only condition needed to attack a device is for it to be connected to the internet. Even if the attack fails the first time, attackers can repeat the process over and over again until they succeed,” explained Kaspersky senior security researcher Suguru Ishimaru. The only method for prospective victims to defend themselves, regardless of how the attack was carried out, is to be highly cautious and have solid security processes in place, such as frequent antivirus scans, analysis of outgoing network traffic, and detailed logging to spot anomalies.
LuoYu has been attacking Korean and Japanese organizations in China since at least 2014 and is also renowned for attacking foreign diplomatic organizations, the academic community, and companies in various industries, including defense and telecommunications. Other nations where Kaspersky’s Global Research and Analysis Team (GReAT) has detected infections include Germany, the Czech Republic, Austria, the United States, Russia, and India.
LuoYu has recently begun pursuing companies in East Asia and Chinese subsidiaries. This lesser-known hacker gang has previously been seen attacking macOS, Linux, and Android devices with Demsty (ReverseWindow) and SpyDealer malware, in addition to targeting Windows devices with WinDealer.