Avast has published the results of an investigation into the compromise of the Mongolian MonPass certification center server, which led to the substitution of a backdoor in an application offered for installation by customers. The analysis showed that the infrastructure was compromised through hacking of one of the MonPass public web servers based on the Windows platform. On the specified server, traces of eight different hacks were revealed, as a result of which eight webshells and backdoors for remote access were installed.
Malicious changes were also made to the official client software, which was shipped with the backdoor from February 8 to March 3. The story began with the fact that, in response to a customer complaint, Avast was convinced of the presence of malicious changes in the installer distributed through the MonPass official website. Upon notification of the problem, MonPass employees provided Avast with access to a copy of the compromised server's disk image to investigate the incident.
Source: opennet.ru