A recent study on a backdoor called Sidewalk has shown its attribution with Grayfly, the Chinese spy arm termed the APT41 group that used to attack telecoms in the US, Taiwan, Vietnam, and Mexico. Grayfly exploits publicly accessible Web servers to deploy web shells, according to Symantec, for initial infiltration before any further propagation in the system.
Symantec states that the backdoor is linked to a former Crosswalk backdoor and that according to a report released in August, the security company ESET credits its evolution to a new gang called SparklingGoblin. Symantec’s Threat Hunter Team has now associated the malware to Grayfly, GREF, and Wicked Panda, a Chinese spy outfit that had many members convicted last year in the United States. Although sometimes referred to as APT41, Symantec regards Grayfly as the spy offshoot of APT41. According to ESET experts, SparklingGoblin is also connected to the Winnti malware family.
However, from the beginning of 2017 Grayfly has been operational. Five Chinese Nationals have been convicted of breaching more than 100 enterprises, government agencies, and other organizations around the world by the U.S. Department of Justice in September 2020.
“Once a network has been compromised, Grayfly may install its custom backdoors onto additional systems,” Symantec says. “These tools allow the attackers to have comprehensive remote access to the network and proxy connections allowing them to access hard-to-reach segments of a target’s network.”
The intruder loaded a bespoke version of the Mimikatz credential dumping tool once the destination machine was created. The program enables attackers to access the system and proxy connections from a distant point of view, providing attackers access to any portion of the network of the target. Grayfly employs the back door of the Sidewalk besides the Trojan custom loader.
Researchers from Symantec investigated one such attack and noticed the very first indication when an Exchange Server-related Base64-encoded command PowerShell was performed. The attacker then executed the certutil command, which empties and shows the certification authority, using the PowerShell command to decrypt and deploy a web shell. After that, the attacker immediately launched its second PowerShell Base64 encoded command that transferred the web shell to the installation path for Exchange. A few minutes later, according to the Symantec analysis, a backdoor was carried out via installutil.exe. Approximately an hour later, the attackers issued a WMIC command which ran a Windows batch file, and generated a programmed job to run the backdoor, experts say.
Grayfly activated the proprietary Mimikatz program to dump credentials as the last phase in this attack, claims the report.
Expect more to come, researchers said: “Grayfly is a capable actor, likely to continue to pose a risk to organizations in Asia and Europe across a variety of industries, including telecommunications, finance, and media. It’s likely this group will continue to develop and improve its custom tools to enhance evasion tactics along with using commodity tools such as publicly available exploits and web shells to assist in their attacks.”