New "Airstalk" Malware Abuses VMware API in Nation-State Supply Chain Attack

Executive Summary

Security researchers have identified a new, sophisticated malware named "Airstalk" used in what is assessed with medium confidence to be a nation-state-sponsored supply chain attack. The activity cluster, tracked as CL-STA-1009, demonstrates advanced tradecraft, including the use of a stolen code-signing certificate and a novel command-and-control (C2) channel. The malware abuses the legitimate API of VMware Workspace ONE UEM (formerly AirWatch) to conduct its C2 communications, allowing it to blend in with normal administrative traffic and evade detection. This technique, combined with a supply chain delivery vector, makes Airstalk a significant threat to organizations that rely on compromised software.

Threat Overview

The attack represents a classic supply chain compromise, where threat actors target an organization by compromising a third-party software or service it uses. While the specific compromised software has not been named, the payload delivered is the Airstalk malware. The assessment of nation-state involvement is based on the sophistication of the malware, the use of a stolen certificate, and the strategic nature of a supply chain attack.

Technical Analysis

Airstalk exhibits several advanced features that make it particularly stealthy and resilient:

• C2 via Living Off the Land: The malware's most distinctive feature is its abuse of the VMware Workspace ONE API for command and control (T1102 - Web Service). Instead of connecting to a suspicious, actor-controlled domain, it communicates with a legitimate enterprise service. It specifically uses API functions designed for managing custom device attributes and file uploads to send and receive data, making the malicious traffic extremely difficult to distinguish from benign administrative activity.

• Stolen Code-Signing Certificate: Some Airstalk samples were found to be digitally signed with a valid, likely stolen, code-signing certificate (T1553.002 - Subvert Trust Controls: Code Signing). This allows the malware to bypass operating system defenses and security products that trust signed binaries, making initial execution more likely to succeed.

• Modular and Versioned: The malware is multi-threaded and includes versioning in its C2 protocol, indicating active and ongoing development by a professional team.

• Functionality: Airstalk is an espionage tool designed for data gathering and reconnaissance on compromised systems.

Impact Assessment

As a supply chain attack, the potential impact is widespread. Any organization using the compromised software could become a victim. The primary impact is espionage, as the Airstalk malware is designed to gather and exfiltrate data. The use of a legitimate enterprise management tool's API for C2 makes detection and remediation particularly challenging, as blocking the API could disrupt legitimate business operations. This forces defenders into a difficult position and allows the malware to persist for longer periods.

Detection & Response

• API Log Analysis: Organizations using VMware Workspace ONE should meticulously analyze its API logs. Look for anomalous patterns, such as an unusual frequency of custom attribute updates, unexpected file uploads, or API calls originating from systems that should not be interacting with the UEM platform in that manner.
• Certificate Revocation Checking: Ensure that endpoint security solutions and OS policies are configured to check for certificate revocation. Monitor for the execution of binaries signed by newly issued or unexpected certificates.
• Threat Hunting: Hunt for the specific indicators of compromise (IOCs) associated with Airstalk and the CL-STA-1009 cluster as they become available.
• Supply Chain Auditing: Review the security posture of all third-party software vendors. Scrutinize software updates before deployment.

Mitigation

• Application Allowlisting (D3-EAL): Implement strict application allowlisting to prevent the execution of unauthorized software, including the initial dropper from the compromised supply chain component.
• Egress Traffic Filtering (D3-OTF): While Airstalk uses a legitimate service for C2, it may still be possible to filter traffic based on more granular details. If possible, restrict which endpoints are allowed to communicate with the Workspace ONE API. All other servers should be blocked from reaching it.
• Software Supply Chain Security: Implement a robust process for vetting software vendors and verifying the integrity of software updates before they are deployed. This can include static and dynamic analysis of new binaries.
• Principle of Least Privilege: Ensure that servers and endpoints have the minimum necessary network access. A server that does not need to be managed by Workspace ONE should be blocked from communicating with its API endpoints.