Avast announced that they have discovered a backdoored client installer on the official website of a major certification authority, MonPass. The installer is backdoored with Cobalt Strike binaries. Avast announced that they have notified the Mongolian company and encouraged them to address their compromised server and alert those who downloaded the backdoored client.
Backdoored with Cobalt Strike binaries
Avast presented its analysis about the issue after they have taken steps to address the issue. According to the announcement, Avast started its analysis in April of 2021. The results showed that a public webserver hosted by MonPass was breached potentially eight separate times. Eight different webshells and backdoors were found in the server.
Avast also stated that MonPass available for download for a period of time was also backdoored. a public webserver hosted by MonPass was breached potentially eight separate times. Avast also stated that attackers decided to use steganography to transfer shellcode to their victims. When executed, it downloads a bitmap image. Avast stated that they also observed some basic anti-analysis techniques used in an attempt to avoid detection.