A new Windows-based malware family, dubbed Airstalk, has been identified by Palo Alto Networks Unit 42, which assesses with medium confidence that a suspected nation-state threat actor is deploying it in a likely supply chain attack. The threat activity cluster, tracked as CL-STA-1009, primarily targets the business process outsourcing (BPO) sector.
Airstalk leverages the AirWatch API for mobile device management (MDM), now known as Workspace ONE Unified Endpoint Management, to establish a covert command-and-control (C2) channel according to security researchers Kristopher Russo and Chema Garcia. This sophisticated malware family exists in both PowerShell and .NET variants, utilizing custom device attributes and file uploads within the MDM API as a dead drop resolver for C2 communications to evade detection.
The PowerShell variant of Airstalk primarily communicates with its C2 infrastructure using the /api/mdm/devices/ endpoint, designed for fetching device content details as outlined by Unit 42. This variant initializes contact by sending a “CONNECT” message, awaiting a “CONNECTED” response, and subsequently processes “ACTIONS” messages for task execution before returning results via “RESULT” messages. Capabilities include taking screenshots, listing Chrome profiles, and exfiltrating Chrome cookies, bookmarks, and browsing history through the UploadResult functionality.
The more advanced .NET variant of Airstalk expands upon these capabilities, additionally targeting Microsoft Edge and the enterprise-focused Island browser Unit 42 reports. This version employs a multi-threaded C2 communication protocol, incorporates versioning, and features distinct execution threads for managing C2 tasks, exfiltrating debug logs, and beaconing to the C2 server as detailed in the analysis. It also attempts to mimic an AirWatch Helper utility by using the filename “AirwatchHelper.exe” to blend in.
For defense evasion, the .NET variant’s binaries are signed with a certificate likely stolen from “Aoteng Industrial Automation (Langfang) Co., Ltd.” from Langfang, Hebei, China. This certificate, valid from June 28, 2024, was revoked approximately ten minutes after its issuance date according to Unit 42’s findings. While early iterations had compilation timestamps from late June 2024, later samples show manipulated PE timestamps, though signing timestamps helped establish a development timeline for the malware.
The suspected targeting of Business Process Outsourcing (BPO) organizations is significant as explained by Unit 42. BPOs often possess extensive access to critical business systems across multiple client organizations, making them lucrative targets for both criminal and nation-state attackers who aim to maintain access indefinitely. The evasion techniques employed by Airstalk, particularly its ability to operate within third-party vendor environments, could allow attackers to remain undetected and gain access to sensitive client data via stolen browser session cookies, screenshots, and logged keystrokes Unit 42 warns.
The discovery of Airstalk underscores the evolving tactics of advanced threat actors and the ongoing challenges in securing complex supply chains.