China-Linked Grayfly Gang Spotted Using Sidewalk BackdoorReport: Telcos, Media, Finance and Service Provider Sectors Affected
A recently discovered backdoor named Sidewalk has been linked to Grayfly, the espionage arm of the China-linked group called APT41, and used to strike telcos and other organizations in the U.S., Taiwan, Vietnam and Mexico, Symantec researchers say.
Grayfly targets public-facing web servers to install web shells for initial intrusion before spreading further within the network, according to Symantec.
"Once a network has been compromised, Grayfly may install its custom backdoors onto additional systems," Symantec says. "These tools allow the attackers to have comprehensive remote access to the network and proxy connections allowing them to access hard-to-reach segments of a target's network."
Once onboard a target system, the attacker deployed a custom version of the credential-dumping tool Mimikatz that has been used previously in Grayfly attacks. The tool allows the attackers to have comprehensive remote access to the network and proxy connections, allowing them to access any segment of a target's network.
Symantec says the backdoor is related to the older Crosswalk backdoor, and the security firm ESET credits its development to a new group named SparklingGoblin, according to a report issued in August.
SparklingGoblin also has links to the Winnti malware family, according to the ESET researchers.
A Sidewalk Attack
Grayfly uses the Sidewalk backdoor along with a custom loader called Trojan.Chattak/Cobalt Strike, also known as Trojan.Agentemis, Symantec says.
Symantec researchers explored one recent attack and noted the first indicator was when a Base64-encoded PowerShell command was executed through a legitimate Exchange Server-related process. The attacker then used the PowerShell command to execute the certutil command - a command-line program that dumps and displays certification authority - to decode and install a web shell.
The attacker then ran a second Base64-encoded PowerShell command that moved the web shell to the Exchange install path. Several minutes later, a backdoor was executed via installutil.exe, according to the Symantec report.
About an hour later, the attackers executed a WMIC command that ran a Windows batch file that created a scheduled task to execute the backdoor and ensure persistence, researchers note.
The final step in this attack saw Grayfly activating its custom Mimikatz tool to dump credentials, the report says.
Grayfly's Criminal History
Grayfly has been active since early 2017. In September 2020, five Chinese nationals were indicted by the U.S. Department of Justice for allegedly breaching more than 100 companies, government agencies and other organizations around the world.
Symantec says three of the men were included in the indictment for their alleged involvement in attacks that involved Grayfly tools and tactics.
"At the time of the indictment, Jiang Lizhi, Qian Chuan, and Fu Qiang were based in the Chinese city of Chengdu and held senior positions in a company called Chengdu 404. The company describes itself as a network security specialist and claims to employ a team of white hat hackers who can perform penetration testing along with other security operations," Symantec says.
The other two men indicted are Zhang Haoran and Tan Dailin.
The victims of the attacks included computer hardware and software companies, telecoms, social media firms, video game makers, nonprofits and foreign governments, and pro-democracy politicians and activists in Hong Kong.