Able Desktop updates delivered APT malware
Able Desktop, a Mongolian business suite used by government agencies, delivered HyperBro, Korplug, and Tmanger through trojanized installers and a likely compromised update path.
Story
ESET found Able Desktop in the middle of Operation StealthyTrident. The software was part of a Mongolian business-management suite and was advertised as used by more than 430 government agencies. ENISA later used it as a supply-chain taxonomy case; the Atlantic Council treated it as one of the historical roots that made Sunburst easier to understand.
The delivery was not a single file. ESET saw two trojanized 7-Zip SFX installers, and also saw legitimate Able Desktop clients download malware through the normal update mechanism. The update path saved the fetched executable as %USERPROFILE%\Documents\Able\Able Desktop.exe and then ran it.
The payloads changed over time. Trojanized installers carried the legitimate application plus HyperBro or Korplug. The update path delivered HyperBro by mid-2018 patterns and Tmanger by July 2020. The installers used DLL side-loading with legitimate Symantec and McAfee executables, loader DLLs, and XOR-encoded payloads in files such as thumb.db.
Attribution stayed cautious. HyperBro is associated with LuckyMouse, Tmanger with TA428, and one Tmanger command server overlapped ShadowPad infrastructure. Avast/GenDigital separately described a related East Asia campaign against Mongolian government networks. The stronger fact is the supply-chain failure: trusted Able Desktop distribution and update plumbing delivered remote-access malware into government environments.
Affected Artifacts
- Observed
- 2020-06-01 to 2020-07-31
- Compromised Versions
- Unknown
- Fixed
- Not listed
- Hashes
-
- sha1:8fff5c6eb4daee2052b3578b73789eb15711feee
- sha1:0550aae6e3ceabcef2a3f926339e68817112059a
- sha1:ed6cecfdaaeb7f41a824757862640c874ef3f7ae
- ESET assessed the update mechanism as compromised because the real Able Desktop client fetched malware from the expected update filename and path over HTTPS.
- Able Soft told ESET that updates were halted after notification and that it had not observed further use after July 2020.
- Observed
- 2018-05-01 to 2020-07-31
- Compromised Versions
- Unknown
- Fixed
- Not listed
- Hashes
-
- sha1:0b0cf4ada30797b0488857f9a3b1429f44335fb6
- sha1:b51835a5d8da77a49e3266494a8ae96764c4c152
- sha1:23a227dd9b77913d15735a25efb0882420b1de81
- +2 more
- Evidence
- mirror: welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop, file: data.dat, file: data1.dat, file: data1.exe , +9 more
- ESET observed two trojanized Able Desktop installers but did not confirm whether they were downloadable from Able's website or another distribution source.
- The installers bundled the legitimate Able Desktop application with malware loaded through side-loaded DLLs and XOR-encoded payload files.
Incident Context
- Motive
- Espionage
- Attribution
- State
- Cause
- Update Infrastructure Compromise
- Transitive
- No
- Actor
- China-linked APT operators
External References
- Operation StealthyTrident: corporate software under attackwelivesecurity.com
- ENISA Threat Landscape for Supply Chain Attacksenisa.europa.eu
- Broken Trust: Lessons from Sunburstatlanticcouncil.org
- APT group targeting governmental agencies in East Asiagendigital.com
- Chinese APT suspected of supply chain attack on Mongolian government agencieszdnet.com
- Chinese APT suspected of supply chain attack on Mongolian government agenciesscceu.org
- The APT group targeting Mongolia's governmentblog.avast.com
- APT actor compromises website to distribute malwaresecurelist.com
- Able Desktop supply chain analysisblog.malwarebytes.com
Source record: proprietary/able/meta.yaml