The novel backdoor technique called SideWalk, seen in campaigns targeting US media and retailers late last month, has been tied to an adversary that’s been around for quite a while: namely, China-linked Grayfly espionage group.
ESET researchers, who named and discovered the new “SparklingGoblin” advanced persistent threat (APT) actor behind SideWalk, reported at the time that the group is an offshoot of another APT – Winnti Group – first identified in 2013 by Kaspersky.
ESET also said that the SideWalk backdoor is similar to one used by Winnti (aka APT41, Barium, Wicked Panda or Wicked Spider, an APT known for nation state-backed cyberespionage and financial cybercrime) called CrossWalk (Backdoor.Motnug). Both CrossWalk and SideWalk are modular backdoors used to exfiltrate system information and can run shellcode sent by the command-and-control (C2) server.
According to a report published by Symantec on Thursday, the SideWalk malware has been deployed in recent Grayfly campaigns against organizations in Taiwan, Vietnam, the US and Mexico. Symantec’s Threat Hunter Team has observed recent campaigns that have involved exploits targeting Exchange and MySQL servers.
Besides attacking organizations in the IT, media and finance sectors, the group also has zeroed in on the telecoms sector, according to the report.
Indicted but Undeterred
The US indicted several members of APT41 in September 2020, all of them Chinese residents and nationals. A Federal grand jury charged them with pulling off dozens of crimes, including allegedly facilitating ” the theft of source code, software code-signing certificates, customer-account data and valuable business information,” which in turn “facilitated other criminal schemes, including ransomware and cryptojacking.”
As the Department of Justice (DOJ) said at the time, one of the defendants – Jiang Lizhi – allegedly bragged about having a “working relationship” with the Chinese Ministry of State Security: a relationship that would give him and his alleged co-conspirators a degree of state protection.
According to Symantec researchers, the SideWalk campaign suggests that the arrests and the publicity can’t have made much of a dent in the group’s activity.
You might know Grayfly better by its also-known-as’s, which include GREF and Wicked Panda. Symantec said that even though the Grayfly APT is sometimes labeled APT41, its researchers consider Grayfly to be a distinct arm of APT41 that’s devoted to espionage. This is similar to how Symantec separately tracks other sub-groups of APT41, such as Blackfly, the APT’s cybercrime arm.
Grayfly, a targeted attack group, has been around since at least March 2017, using the CrossWalk/Backdoor.Motnug (aka TOMMYGUN) backdoor. The group has also wielded a custom loader called Trojan.Chattak, Cobalt Strike (aka Trojan.Agentemis, the legitimate, commercially available tool used by network penetration testers and, increasingly, by crooks) and ancillary tools in its attacks.
Researchers have seen Grayfly targeting a number of countries in Asia, Europe, and North America across a variety of industries, including food, financial, healthcare, hospitality, manufacturing and telecommunications. Recently, it’s continued to torment telecoms, but it’s also been going after the media, finance and IT service providers.
Grayfly’s typical modus operandi is to target publicly facing web servers to install web shells for initial intrusion before spreading further within the network, Symantec said. After it has penetrated a network, Grayfly then might install its custom backdoors onto more systems. That gives the operators remote access to the network and proxy connections that enable them to access hard-to-reach segments of a target’s network, according to the writeup.
Walking the Slippery SideWalk
Symantec researchers observed that in the recent SideWalk campaign, Grayfly looked to be particularly interested in attacking exposed Microsoft Exchange or MySQL servers, suggesting that “the initial vector may be the exploit of multiple vulnerabilities against public-facing servers.”
In fact, the Cybersecurity & Infrastructure Security Agency (CISA) recently put out an urgent alert about a surge in ProxyShell attacks, as attackers launched 140 web shells against 1,900 unpatched Microsoft Exchange servers. Security researchers at Huntress reported seeing ProxyShell vulnerabilities being actively exploited throughout the month of August to install backdoor access once the ProxyShell exploit code was published on Aug. 6: A few weeks later, the surge hit.
In at least one of the SideWalk attacks that Symantec researchers observed, the suspicious Exchange activity was followed by PowerShell commands used to install an unidentified web shell. That may sound familiar, given that one of the vulnerabilities Huntress described last month was CVE-2021-34523: a bug that enables malicious actors to execute arbitrary code post-authentication on Microsoft Exchange servers due to a flaw in the PowerShell service not properly validating access tokens.
The Grayfly attackers executed the malicious SideWalk backdoor after the web shell was installed. Then, they deployed a tailor-made version of the open-source, credential-dumping tool Mimikatz that Symantec said has been used in earlier Grayfly attacks. Symantec’s report does a deep dive on the technical details, including indicators of compromise.
Expect more to come, researchers said, since this fly isn’t likely to buzz off: “Grayfly is a capable actor, likely to continue to pose a risk to organizations in Asia and Europe across a variety of industries, including telecommunications, finance, and media. It’s likely this group will continue to develop and improve its custom tools to enhance evasion tactics along with using commodity tools such as publicly available exploits and web shells to assist in their attacks.”
It’s time to evolve threat hunting into a pursuit of adversaries. JOIN Threatpost and Cybersixgill for Threat Hunting to Catch Adversaries, Not Just Stop Attacks and get a guided tour of the dark web and learn how to track threat actors before their next attack. REGISTER NOW for the LIVE discussion on September 22 at 2 PM EST with Cybersixgill’s Sumukh Tendulkar and Edan Cohen, along with researcher and vCISO Chris Roberts and Threatpost host Becky Bracken.