Researchers from Symantec had come across a new SideWalk backdoor linked to chinese threat actor groups deployed in recent grayfly campaigns. During the initial investigation, researchers observed that the threat actors are targeting various organizations in IT, media and finance sectors on countries like Taiwan, Vietnam, United States and Mexico.
Grayfly (aka GREF and Wicked Panda) is a targeted attack group that has been active since at least March 2017 using a custom backdoor known as Backdoor.Motnug (aka TOMMYGUN/CROSSWALK), a custom loader called Trojan.Chattak, Cobalt Strike (aka Trojan.Agentemis), and ancillary tools in its attacks.
“Once a network has been compromised, Grayfly may install its custom backdoors onto additional systems. These tools allow the attackers to have comprehensive remote access to the network and proxy connections allowing them to access hard-to-reach segments of a target’s network.” reads the blogpost.
Once after the backdoor is installed threat actors seems to be installing custom version of mimikatz tool for credential dumping activity which has been previously observed during earlier version of Grayfly attacks.
On first instance the attack was observed during 20:39 time where powershell code was executed with base64 encoding technique executed on Exchange servers to execute certutil to decode and install the web shell, and on second step , another Base64 encoded powershell script was executed to move web shell to the Exchange server install path.
“Roughly an hour later, the attackers were observed executing a WMIC command in order to run a Windows batch file. This file was used to create a scheduled task to execute the backdoor and ensure persistence, Shortly after this, Mimikatz was executed to dump credentials” reads the blogpost.
Indicators of Compromise
|25a7c1f94822dc61211de253ff0a5805a0eb83921126732a0d52b1f1967cf079||Sidewalk loader||Trojan Horse|