MonPass major CA appears to have been breached at least six months ago, with the attackers returning to a compromised public web server approximately eight times.
The attackers backdoored installers distributed through the organization’s website with the Cobalt Strike beacon. Even the official MonPass client was compromised, with the infected binaries distributed between February 8 and March 3, 2021.
The security researchers identified eight different webshelles and backdoors on the compromised public web server. The company declined to attribute the attacks to a known threat actor, but said that some of the observed technical details and IOCs overlap with those included by NTT Security Threat Intelligence researchers in a report on the China-linked Winnti Group.
The malicious installer was designed to download the legitimate MonPass installer from the official website and execute it, so as to avoid raising suspicion. At the same time, the malware would fetch a bitmap image file containing code hidden in it using steganography. The extracted code is a Cobalt Strike beacon.
By compromising a trustworthy source in Mongolia, the attackers appear to have concentrated their effort toward compromising entities in this geography. MonPass was informed of the compromise and has taken steps to secure its servers.
The security researchers recommend that all those who downloaded the MonPass client between February 8 and March 3, 2021, remove the client and check their systems for the backdoor it might have fetched and installed.