""Airstalk misuses the AirWatch API for mobile device management (MDM), which is now called Workspace ONE Unified Endpoint Management," security researchers Kristopher Russo and Chema Garcia said in an analysis. "It uses the API to establish a covert command-and-control (C2) channel, primarily through the AirWatch feature to manage custom device attributes and file uploads.""
""The PowerShell variant, for its part, utilizes the "/api/mdm/devices/" endpoint for C2 communications. While the endpoint is designed to fetch content details of a particular device, the malware uses the custom attributes feature in the API to use it as a dead drop resolver for storing information necessary for interacting with the attacker. Once launched, the backdoor initializes contact by sending a "CONNECT" message and awaits a "CONNECTED" message from the server. It then receives various tasks to be executed on the compromised host in the form of a message of type "ACTIONS." The output of the execution is sent back to the threat actor using a "RESULT" message.""
Cluster tracked under the moniker CL-STA-1009 indicates state-backed motivation. Airstalk abuses the AirWatch API (Workspace ONE Unified Endpoint Management) to establish a covert command-and-control channel via custom device attributes and file uploads. The malware exists in PowerShell and .NET variants, with the .NET variant containing additional capabilities that suggest a more advanced version. Airstalk uses a multi-threaded C2 protocol and can capture screenshots and harvest browser cookies, history, and bookmarks. Some artifacts appear signed with a stolen certificate. The PowerShell variant uses the /api/mdm/devices/ endpoint as a dead-drop resolver. The backdoor uses CONNECT/CONNECTED/ACTIONS/RESULT messaging for tasking and responses.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]