Backdoored Client from Mongolian CA MonPass

Avast - 

We discovered an installer downloaded from the official website of MonPass, a major certification authority (CA) in Mongolia in East Asia that was backdoored with binaries. We immediately notified MonPass on 22 April of our findings and encouraged them to address their compromised server and notify those who downloaded the backdoored client.

We have confirmed with MonPass that they have taken steps to address these issues and are now presenting our .

This provides analysis of relevant backdoored installers and other samples that we found occurring in the wild. Also during our investigation we observed relevant research from NTT Ltd so some technical details or IoCs may overlap.

All the samples are highly similar and share the same pdb path:

C:UserstestDesktopfishmasterx64Releasefishmaster.pdb and the string: Bidenhappyhappyhappy.

Figure 1: Pdb path and specific string

The malicious installer is an unsigned PE file. It starts by downloading

Read More: