A sophisticated malware campaign named Airstalk is raising alarms in the cybersecurity world after being linked to a suspected state-sponsored threat group. With its ability to exploit widely used enterprise management tools, the malware highlights significant vulnerabilities in global supply chains, particularly within the Business Process Outsourcing (BPO) industry.
A New Breed of Cyber Threat
The Airstalk malware has been traced to a threat cluster identified as CL-STA-1009 by researchers at Palo Alto Networks’ Unit 42. Unlike traditional malware attacks that target individual systems, Airstalk is engineered to infiltrate enterprise software environments, making it a more insidious threat to corporate ecosystems.
What sets Airstalk apart is its misuse of VMware’s Workspace ONE Unified Endpoint Management (UEM), previously known as AirWatch. This legitimate tool, used by organizations to manage mobile devices, has been turned against its users. By exploiting its APIs, attackers have transformed standard device management features into a covert command-and-control (C2) channel. This allows them to steal sensitive data while remaining undetected within trusted corporate networks.
"Airstalk uses the API to establish a covert C2 channel primarily through the AirWatch feature to manage custom device attributes and file uploads," explained Kristopher Russo and Chema Garcia of Unit 42. This method enables attackers to operate with alarming discretion.
Dual Variants of Airstalk: PowerShell and .NET
Unit 42’s analysis shows that Airstalk operates in two primary forms: one written in PowerShell and another in .NET. Both variants establish contact with a C2 server and are capable of executing a range of malicious actions, including stealing browser cookies, exfiltrating files, and capturing screenshots.
The PowerShell variant relies on the "/api/mdm/devices/" endpoint within AirWatch’s framework, camouflaging its activity as routine management tasks. The .NET version, however, is more advanced, featuring stronger persistence mechanisms and commands that mimic legitimate enterprise tools like "AirwatchHelper.exe."
The malware’s arsenal includes commands such as Screenshot for screen captures, UpdateChrome for harvesting browser profiles, and UploadFile for sending stolen credentials. It can also execute remote commands using OpenURL or delete traces of its presence with Uninstall.
How Airstalk Operates: Unseen but Effective
Once activated, Airstalk begins its operation by sending a "CONNECT" message to its remote operator, awaiting a confirmation response. It then executes a series of instructions received from its C2 server, collecting information or files, and providing a "RESULT" message upon completion.
To evade detection, the malware uses a digital signature from Aoteng Industrial Automation (Langfang) Co., Ltd., which is likely stolen. Researchers have dated the earliest known version of the malware to June 2024, underscoring the long-term planning and funding behind this campaign.
The PowerShell variant maintains persistence by scheduling tasks, while the .NET counterpart employs subtler methods, potentially relying on lateral movement within enterprise systems to stay active.
BPOs: A Lucrative Target
Cybersecurity analysts have highlighted a particularly troubling aspect of Airstalk – its focus on exploiting the vulnerabilities of BPO companies. These organizations, which manage sensitive client data across various industries, serve as an attractive entry point for attackers aiming to infiltrate larger networks.
"The evasion techniques employed by this malware allow it to remain undetected in most environments", researchers noted. "This is particularly disastrous for organizations that use BPO because stolen browser session cookies could allow access to a large number of their clients."
By targeting BPO environments and leveraging enterprise browsers like Island, Chrome, and Edge, attackers can gain access to a vast range of interconnected systems. This supply chain focus represents a shift in strategy, where attackers compromise a single vendor to observe and exploit multiple downstream clients.
As Kristopher Russo explained, "Attackers are willing to invest generously in the resources necessary to not only compromise them but maintain access indefinitely."
A Grim Warning for Outsourced Trust
The emergence of Airstalk serves as a stark warning about the vulnerabilities inherent in the interconnected ecosystems of modern enterprises. By weaponizing trust in third-party tools and vendors, state-backed actors demonstrate a troubling ability to exploit corporate supply chains from within.
In an era of increasing reliance on outsourcing, the threat of malware like Airstalk underscores the urgent need for robust security measures across all levels of the supply chain. For organizations and their service providers, vigilance is no longer optional – it is critical to survival.