Posted on Leave a comment

Chinese Threat Actors Using Newly Discovered Malware For Infecting Exchange Servers

Researchers from Symantec had come across a new SideWalk backdoor linked to chinese threat actor groups deployed in recent grayfly campaigns. During the initial investigation, researchers observed that the threat actors are targeting various organizations in IT, media and finance sectors on countries like Taiwan, Vietnam, United States and Mexico.

Grayfly (aka GREF and Wicked Panda) is a targeted attack group that has been active since at least March 2017 using a custom backdoor known as Backdoor.Motnug (aka TOMMYGUN/CROSSWALK), a custom loader called Trojan.Chattak, Cobalt Strike (aka Trojan.Agentemis), and ancillary tools in its attacks.

Once a network has been compromised, Grayfly may install its custom backdoors onto additional systems. These tools allow the attackers to have comprehensive remote access to the network and proxy connections allowing them to access hard-to-reach segments of a target’s network.” reads the blogpost.

Once after the backdoor is installed threat actors seems to be installing custom version of mimikatz tool for credential dumping activity which has been previously observed during earlier version of Grayfly attacks.

On first instance the attack was observed during 20:39 time where powershell code was executed with base64 encoding technique executed on Exchange servers to execute certutil to decode and install the web shell, and on second step , another Base64 encoded powershell script was executed to move web shell to the Exchange server install path.

Roughly an hour later, the attackers were observed executing a WMIC command in order to run a Windows batch file. This file was used to create a scheduled task to execute the backdoor and ensure persistence, Shortly after this, Mimikatz was executed to dump credentials” reads the blogpost.

Indicators of Compromise

SHA256DescriptionDetection
1b5b37790b2029902d2d6db2da20da4d0d7846b20e32434f01b2d384eba0ededSidewalk loaderTrojan.Gen.MBT
b732bba813c06c1c92975b34eda400a84b5cc54a460eeca309dfecbe9b559bd4Sidewalk loaderTrojan.Gen.MBT
04f6fc49da69838f5b511d8f996dc409a53249099bd71b3c897b98ad97fd867cSidewalk loaderTrojan.Gen.MBT
25a7c1f94822dc61211de253ff0a5805a0eb83921126732a0d52b1f1967cf079Sidewalk loaderTrojan Horse
b3eb783b017da32e33d19670b39eae0b11de8e983891dd4feb873d6e9333608dMimikatzHacktool.Mimikatz
Source: Symantec

Source: Symantec

–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1, Linkedin handle @linkedin.

Leave a Reply