The official website of a major Mongolian certification authority (CA) MonPass was infected with malware and distributed a remote-controlled client to users.
Researchers from Avast say MonPass was infected with eight different web shells and backdoors. According to researchers, this means the site was likely breached up to eight times.
During the period from March to April, Avast detected several indicators of compromise due to the presence of web shells on the website. Researchers also found the MonPass client itself was infected with backdoors.
According to Avast, the installer contained binaries for Cobalt Strike, a legitimate tool for penetration testing that threat actors abuse for malware deployment, data exfiltration, and network activity obfuscation.
The rogue installer downloaded a benign installer from the MonPass domain to avoid arousing suspicions. An image file was also downloaded containing hidden code. Steganography was used to decrypt and install a Cobalt Strike beacon.
The researchers said they cannot make attributions for the attacks “with an appropriate level of confidence.”
“However, it’s clear that the attackers clearly intended to spread malware to users in Mongolia by compromising a trustworthy source, which in this case is a CA in Mongolia,” Avast added.
The Mongolian CA was informed about the issue on April 22. The company confirmed the issue was resolved on June 29.
MonPass client software downloaded between February 8 and March 3 should be removed from the system and replaced with the latest version available, which is v.1.21.1.
MonPass informed impacted clients of the security issue and “remotely scanned their computers to ensure that there was no threat.”
“These attacks do not affect our public key infrastructure system, our system is completely secure, and it is operating normally behind multiple layers of protection,” the company assured.