monpass
MonPass Mongolian CA distributed Cobalt Strike-laced installer
Avast disclosed in July 2021 that the official client installer for MonPass — a major Mongolian certificate authority — was backdoored on the company's download site between 2021-02-08 and 2021-03-03. The trojanized installer wrapped the legitimate MonPass client (used by Mongolian users to interact with their digital certificates), executing it normally while side-loading a Cobalt Strike beacon for remote access. Avast notified MonPass, which acknowledged the compromise and notified affected customers.
- Date
- 2021-02-08 to 2021-03-03
- Category
- Commercial
- Target Surface
- Distribution
- Insertion Phase
- distribution
- Impact
- Backdoor
- Cause
- Website compromise
What Was Affected
Package
monpass
Languagec++
ComponentApplication
Artifact typebinary archive
Domain typevendor
Domain
int.monpass.mn
Incident Context
- Motive
- Espionage
- Attribution
- Nation-state
- Transitive
- No
- Observed Duration
- 23 days
External References
Source Data
Source record: proprietary/monpass/meta.yaml