A sophisticated malware, dubbed Airstalk, is being linked to a likely nation-state threat actor operating through what appears to be a supply chain attack. Security researchers at Palo Alto Networks Unit 42 are tracking this cluster of activity under the moniker CL-STA-1009, with “STA” indicating a state-backed motivation. The core of Airstalk’s stealth lies in its clever misuse of the AirWatch API—now part of Workspace ONE Unified Endpoint Management—to create a clandestine command-and-control (C2) channel, primarily by exploiting AirWatch’s features for managing custom device attributes and file uploads.
Airstalk has been observed in both PowerShell and .NET variants, with the latter suggesting a more advanced iteration due to its expanded capabilities. The C2 communication protocol is multi-threaded, enabling the malware to execute espionage functions like capturing screenshots and thoroughly harvesting sensitive data such as cookies, browser history, bookmarks, and stored credentials from web browsers. There is also evidence suggesting that the threat actors are leveraging a stolen certificate to sign some of the malicious artifacts involved in the deployment of the malware.
The functionality of the malware hinges on its communication method. The PowerShell version, for instance, utilizes the /api/mdm/devices/ endpoint for C2. While this endpoint is intended for fetching device details, Airstalk subverts the custom attributes feature within the API to use it as a dead drop resolver for storing data needed to interact with the attacker. Once executed on a host, the backdoor initiates contact with a “CONNECT” message and awaits a “CONNECTED” response, after which it is ready to receive and process tasks.
Tasks, which are delivered in the form of an “ACTIONS” message, are wide-ranging and focused on data exfiltration. The backdoor supports seven distinct actions, allowing the attacker to take a screenshot, gather cookies, history, and bookmarks from specific Google Chrome profiles, and enumerate all files within the user’s directory. Crucially, the backdoor also includes an option to uninstall itself from the compromised host, likely as a clean-up measure.
When Airstalk needs to send back a significant volume of data or files resulting from a task, such as a complete history log or a large file enumeration, it relies on another AirWatch feature. The malware utilizes the blobs feature of the AirWatch MDM API. This allows it to upload the collected content back to the threat actor by creating it as a new blob, thereby maintaining a covert and effective method for exfiltrating large amounts of sensitive data.
Reference:
