A sophisticated threat actor, believed to be state-sponsored, has been discovered using a previously unknown malware family dubbed “Airstalk” in a suspected software supply chain attack. The malware uniquely abuses a legitimate enterprise mobile device management (MDM) API to establish a covert communication channel with its operators.
The Attacker and the Malware’s Core Deception
Tracked by Palo Alto Networks Unit 42 as CL-STA-1009 (where “STA” indicates state-backed motivation), the cluster employs the Airstalk malware. The malware’s primary innovation is its misuse of the AirWatch API, a component of VMware’s Workspace ONE Unified Endpoint Management (UEM) platform.
Security researchers Kristopher Russo and Chema Garcia explained, “It uses the API to establish a covert command-and-control (C2) channel, primarily through the AirWatch feature to manage custom device attributes and file uploads.” This technique allows the malware to blend its traffic with legitimate enterprise management communications, making detection significantly more difficult.
Airstalk’s Two Variants: PowerShell and Advanced .NET
Airstalk has been identified in two distinct forms: a PowerShell version and a more advanced, feature-rich .NET variant. Both are designed to steal sensitive data from infected hosts, including screenshots, browser cookies, history, and bookmarks. Evidence suggests the attackers are using a stolen code-signing certificate to sign some of the malware files, lending them an air of legitimacy.
The core communication method for the PowerShell variant involves the /api/mdm/devices/ endpoint. The malware abuses the API’s “custom attributes” feature, using it as a dead drop resolver to store and retrieve commands from the attackers.
The infection sequence is methodical:
- The backdoor sends a “CONNECT” message to initiate contact.
- It awaits a “CONNECTED” response from the C2 server.
- It receives tasks in an “ACTIONS” message.
- It sends back the results of these tasks using a “RESULT” message.
The PowerShell variant supports seven key actions:
- Taking screenshots.
- Stealing cookies from Google Chrome.
- Listing all user Chrome profiles.
- Collecting browser bookmarks and history.
- Enumerating files in the user’s directory.
- Uninstalling itself.
The Advanced .NET Variant: Expanded Capabilities and Stealth
The .NET version of Airstalk represents a significant evolution. It expands its theft capabilities to target not only Google Chrome but also Microsoft Edge and Island, a browser designed for secure enterprise use. To improve its disguise, it masquerades as a legitimate “AirwatchHelper.exe” utility.
This variant introduces three new message types for better operational control (MISMATCH, DEBUG, PING) and uses three dedicated execution threads for managing C2 tasks, exfiltrating debug logs, and sending beaconing signals to the server.
It supports a wider array of commands, including:
Screenshot,UpdateChrome,UploadFilefor data theft.OpenURLto open new web pages in Chrome.EnterpriseIslandProfilesandUpdateIslandto target the Island enterprise browser.ExfilAlreadyOpenChrometo dump cookies from active Chrome sessions.
Notably, while the PowerShell version uses a scheduled task for persistence, the .NET variant currently lacks a persistence mechanism. Some samples of the .NET malware are signed with a “likely stolen” certificate from “Aoteng Industrial Automation (Langfang) Co., Ltd.,” with the earliest samples dating back to June 28, 2024.
The Supply Chain Attack Hypothesis and BPO Sector Targeting
The exact distribution method remains unknown, but the malware’s features point toward a sophisticated supply chain attack, potentially targeting the Business Process Outsourcing (BPO) sector.
“Organizations specializing in BPO have become lucrative targets for both criminal and nation-state attackers,” the report noted. The use of an MDM API for C2 is particularly clever, as it allows the malware to remain hidden, especially within a third-party vendor’s environment.
The consequences are severe: “This is particularly disastrous for organizations that use BPO because stolen browser session cookies could allow access to a large number of their clients.”
