This research provides analysis of relevant backdoored installers and other samples that we found occurring in the wild.
We also found that the MonPass client available for download from 8 February 2021 until 3 March 2021 was backdoored. Our analysis beginning in April 2021 indicates that a public web server hosted by MonPass was breached potentially eight separate times: we found eight different webshells and backdoors on this server. We have confirmed with MonPass that they have taken steps to address these issues and are now presenting our analysis.
We immediately notified MonPass on 22 April 2021 of our findings and encouraged them to address their compromised server and notify those who downloaded the backdoored client.
We discovered an installer downloaded from the official website of MonPass, a major certification authority (CA) in Mongolia in East Asia that was backdoored with Cobalt Strike binaries.
