Full Report
A suspected nation-state threat actor has been linked to the distribution of a new malware called Airstalk as part of a likely supply chain attack. Palo Alto Networks Unit 42 said it's tracking the cluster under the moniker CL-STA-1009, where "CL" stands for cluster and "STA" refers to state-backed motivation. "Airstalk misuses the AirWatch API for mobile device management (MDM), which is now
Analysis Summary
# Threat Actor: CL-STA-1009
## Attribution & Identity
**Identification:** Suspected nation-state threat actor.
**Known Aliases and Associated Groups:** Tracked by Palo Alto Networks Unit 42 under the moniker **CL-STA-1009** ("CL" for cluster, "STA" for state-backed motivation).
## Activity Summary
The threat actor is linked to the distribution of a new malware family named **Airstalk** as part of a suspected supply chain attack. The purpose of the activity appears to be covert surveillance and data exfiltration from compromised systems.
## Tactics, Techniques & Procedures
- **Supply Chain Compromise:** The campaign likely involves injecting the malware via a supply chain vector.
- **API Misuse for C2:** Abusing the legitimate **AirWatch API** (now Workspace ONE Unified Endpoint Management) to establish a covert Command and Control (C2) channel.
- **Dead Drop Resolver:** Using the API's custom attributes feature to store necessary interaction information (dead drop).
- **Multi-threaded C2:** Employs a multi-threaded C2 communication protocol.
- **Code Variant Development:** Operates at least two variants: PowerShell and a more capable .NET version.
- **Code Signing:** .NET samples have been observed signed with a "likely stolen" certificate from **Aoteng Industrial Automation (Langfang) Co., Ltd.**
- **Persistence (PowerShell Variant):** Uses a scheduled task for persistence.
- **Masquerading (.NET Variant):** The .NET variant attempts to mimic an AirWatch Helper utility (`AirwatchHelper.exe`).
- **C2 Communication Structure:** Uses specific messages for C2: "CONNECT" (initiation), "CONNECTED" (response), "ACTIONS" (tasks), and "RESULT" (output transmission). File exfiltration uses the API's "blobs" feature.
## Targeting
**Sectors:** Not explicitly detailed, but the reliance on Mobile Device Management (MDM) APIs suggests targeting organizations managing extensive fleets of endpoints, likely including enterprise and government entities.
**Geography:** Not specified in the provided context.
**Victims:** No specific victims are named in the context provided.
## Tools & Infrastructure
- **Malware Families Used:** Airstalk (PowerShell and .NET variants).
- **Infrastructure:** Leverages the **AirWatch/Workspace ONE MDM API** for C2.
- **PowerShell C2 Endpoint:** Uses the `[/api/mdm/devices/](http://kb.omnissa.com/s/article/50117934)` endpoint.
- **Authentication/Authorization:** Likely leveraging a stolen certificate for artifact signing.
## Implications
The use of legitimate MDM APIs for C2 significantly raises the profile of this threat. It allows the malware to blend into legitimate enterprise traffic, making detection based on network signatures difficult. The introduction of a more advanced .NET version indicates active research and refinement of the malware by the actor. Targeting MDM infrastructure indicates a high-value, persistent intent, potentially for widespread device compromise.
## Mitigations
- **Certificate Monitoring:** Monitor for authentic code signed by Aoteng Industrial Automation (Langfang) Co., Ltd. in unexpected contexts.
- **MDM API Visibility:** Implement enhanced logging and anomaly detection on AirWatch/Workspace ONE API usage, specifically monitoring unexpected traffic patterns on the `/api/mdm/devices/` endpoint or unusual custom attribute modifications/data submissions.
- **Application Control:** Restrict execution of unsigned or newly compiled PowerShell and .NET binaries in enterprise environments.
- **Endpoint Defense:** Deploy advanced EDR solutions capable of detecting persistence mechanisms like unauthorized scheduled tasks and in-memory theft operations.
- **Browser Security:** Implement protections targeting browser artifact theft (cookies, history) across Chrome, Microsoft Edge, and Island browser.