Verticals Targeted: Business Process Outsourcing (BPO)
Regions Targeted: Not Specified
Related Families: None
Executive Summary
Airstalk is a new Windows malware family deployed by a suspected nation-state actor in supply chain attacks, leveraging AirWatch API for covert C2 to exfiltrate browser data. Available in PowerShell and .NET variants, the malware highlights evolving threats to third-party vendors.
Key Takeaways
- Airstalk misuses MDM APIs for dead-drop C2 communications, enabling stealthy data exfiltration from browsers like Chrome, Edge, and Island.
- The .NET variant features multi-threaded operations, versioning, and advanced tasks, signed with a revoked certificate likely stolen from a Chinese firm.
- Persistence is maintained via scheduled tasks in the PowerShell variant.
- The .NET variant lacks persistence but includes beaconing and debug logging.
What is Airstalk?
Palo Alto’s Unit 42 has detailed a novel malware family dubbed Airstalk, targeting Windows systems through suspected supply chain compromises. This threat, tracked under activity cluster CL-STA-1009, is attributed with medium confidence to a nation-state adversary. Airstalk exploits the AirWatch MDM API, now part of Workspace ONE Unified Endpoint Management, for establishing a hidden command-and-control channel (C2). By abusing custom device attributes and file upload endpoints, it creates a dead-drop mechanism for asynchronous communications, evading direct connections.
The malware manifests in two primary forms: a PowerShell script and a more sophisticated .NET executable. Both variants share the core C2 methodology, utilizing JSON-formatted messages embedded in API calls. The PowerShell version employs base64-encoded payloads within custom attributes, with required fields including a client UUID derived from WMI queries and serialized messages. It supports tasks like screenshot capture, Chrome cookie dumping via remote debugging, bookmark and history extraction, file listing, and self-uninstallation. Communications revolve around message types such as CONNECT, CONNECTED, ACTIONS, and RESULT, with task IDs defining operations, notably skipping ID 3, which possibly indicates modular design or hidden features.
In contrast, the .NET variant advances this framework with multi-threaded execution for task management, beaconing, and debug exfiltration. It appends suffixes to UUIDs for delivery types and introduces additional message types like MISMATCH, DEBUG, and PING. Targeting expanded browsers, including Chrome, Microsoft Edge, and Island, it executes compound tasks, such as profile enumeration and artifact uploads. For evasion, .NET samples are signed using a certificate issued to Aoteng Industrial Automation (Langfang) Co., Ltd., revoked shortly after issuance in June 2024. Timestamps suggest development from mid-2024 onward, with manipulated compile dates but verifiable signing times.
Airstalk's capabilities focus on sensitive browser data theft, including cookies, history, bookmarks, and screenshots, potentially enabling session hijacking across victim networks. The PowerShell variant persists via scheduled tasks, while the .NET variant relies on episodic runs, marking uninstallation via API flags. This design suits supply chain intrusions, particularly in BPO setups where outsourced specialists access client systems from unmanaged endpoints. Adversaries can exploit this blind spot, maintaining long-term footholds to map operations and exfiltrate data undetected.
IOCs
PolySwarm has multiple samples of Airstalk.
dfdc27d81a6a21384d6dba7dcdc4c7f9348cf1bdc6df7521b886108b71b41533
b6d37334034cd699a53df3e0bcac5bbdf32d52b4fa4944e44488bd2024ad719b
4e4cbaed015dfbda3c368ca4442cd77a0a2d5e65999cd6886798495f2c29fcd5
3a48ea6857f1b6ae28bd1f4a07990a080d854269b1c1563c9b2e330686eb23b5
You can use the following CLI command to search for all Airstalk samples in our portal:
$ polyswarm link list -f Airstalk
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.
