[BreachExchange] Experts Link Sidewalk Malware Attacks to Grayfly Chinese Hacker Group

[Sophia Kingsbury]

https://thehackernews.com/2021/09/experts-link-sidewalk-malware-attacks.html

A previously undocumented backdoor that was recently found targeting an
unnamed computer retail company based in the U.S. has been linked to a
longstanding Chinese espionage operation dubbed Grayfly.

In late August, Slovakian cybersecurity firm ESET disclosed details of an
implant called SideWalk, which is designed to load arbitrary plugins sent
from an attacker-controlled server, gather information about running
processes in the compromised systems, and transmit the results back to the
remote server.

The cybersecurity firm attributed the intrusion to a group it tracks as
SparklingGoblin, an adversary believed to be connected to the Winnti (aka
APT41) malware family.

But latest research published by researchers from Broadcom's Symantec has
pinned the SideWalk backdoor on the China-linked espionage group, pointing
out the malware's overlaps with the older Crosswalk malware, with the
latest Grayfly hacking activities singling out a number of organizations in
Mexico, Taiwan, the U.S., and Vietnam.

"A feature of this recent campaign was that a large number of targets were
in the telecoms sector. The group also attacked organizations in the IT,
media, and finance sectors," Symantec's Threat Hunter Team said in a
write-up published on Thursday.

Known to be active at least since March 2017, Grayfly functions as the
"espionage arm of APT41" notorious for targeting a variety of industries in
pursuit of sensitive data by exploiting publicly facing Microsoft Exchange
or MySQL web servers to install web shells for initial intrusion, before
spreading laterally across the network and install additional backdoors
that enable the threat actor to maintain remote access and exfiltrate
amassed information.

In one instance observed by Symantec, the adversary's malicious cyber
activity commenced with targeting an internet reachable Microsoft Exchange
server to gain an initial foothold into the network. This was followed by
executing a string of PowerShell commands to install an unidentified web
shell, ultimately leading to the deployment of the Sidewalk backdoor and a
custom variant of the Mimikatz credential-dumping tool that's been put to
use in previous Grayfly attacks.

"Grayfly is a capable actor, likely to continue to pose a risk to
organizations in Asia and Europe across a variety of industries, including
telecommunications, finance, and media," the researchers said. "It's likely
this group will continue to develop and improve its custom tools to enhance
evasion tactics along with using commodity tools such as publicly available
exploits and web shells to assist in their attacks."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210910/26d9d57b/attachment.html>