The Chinese speaking threat group known as LuoYu has been using man-on-the-side attacks to deploy WinDealer malware. The group monitors victim networks for application update requests and switches them with the malicious payload. The group mainly focuses on popular Asian apps such as QQ, WeChat, and WangWang. Once the group deploys WinDealer, they begin to steal large amounts of data, install backdoors to maintain persistence, manipulate files, scan for other devices on the network, and run arbitrary commands. Kaspersky senior security researcher, Suguru Ishimaru, stated “Man-on-the-side-attacks are extremely destructive, as the only condition needed to attack a device is for it to be connected to the internet. Even if the attack fails the first time, attackers can repeat the process over and over again until they succeed.” LuoYu is also known for attacking foreign diplomatic organizations in China, but recently they also started attacking companies in East Asia.
LuoYo is a very sophisticated threat group that effectively uses man-on-the-side attacks. These attacks can be incredibly destructive but can be mitigated through education. The attacks occur when threat actors read victim communications and inject malicious messages into the communication channel. The threat actors cannot delete incoming messages from outside parties. By understanding such attacks, victims can better identify malicious emails, text messages, and other phishing attempts to initiate man-on-the-side attacks.