'WinDealer' is Malware That Cannot Be Trusted

Several new malware families have been identified by security researchers. One of them is called WinDealer and is associated with a threat actor named LuoYu. LuoYu has been around for over a decade, executing attacks primarily targeting entities located in China such as foreign diplomatic bodies and companies working with sensitive information in the defense and telecom sectors.

While LuoYu previously used attacks that employed compromised websites, later used as watering holes. In 2020, the threat actor moved on to new distribution methods for the WinDealer malware. The threat actor started abusing the update processes of legitimate applications.

Researchers ran into an executable that was digitally signed and compiled a decade ago, that was used to deploy WinDealer. The confusing part is that the software updater uses a hardcoded URL which it uses to grab patches. The file located at the address was not malicious, but on some rare occasions, the update would download an instance of WinDealer instead of the legitimate update.

WinDealer has a broad range of capabilities and is a modular tool, allowing operators to execute read and write operations to files, scrape system information, transfer files both ways, execute remote commands and capture screenshots.

The malware's infrastructure is what seems to defy belief. Analysis showed that WinDealer is distributed using plain HTTP requests that would return normal, legitimate executables most of the time. Additionally, the range of IPs and domains the malware can communicate with seems exorbitant, even for a larger

threat actor, which made researchers think there is likely a man on the side component to the attacks using the malware.