New Sidewalk malware linked to Grayfly – espionage group from China

Researchers reveal that the backdoor malware is connected to the group responsible for attacks on Taiwan, Vietnam, U.S organizations

Attackers executing the backdoor named GrayFly groupChina hacker group connected to the virus targeting Asia, Europe, and US organizations.

The newly researched malware finally linked to the longstanding Chinese espionage operation group named Grayfly.[1] The backdoor was recently found when the malware targeted the computer retail company in the United States. The SideWalk malware was analyzed by the ESET cybersecurity firm at the end of August,[2] when it was disclosed that information-gathering malware was designed to run processes on the compromised system and report results to the remote server.

The malware is created to load arbitrary plugins from the server that malicious attackers control and run other commands after. It was first linked with the group called SparklingGoblin, but Symantec Threat Hunter Team now reports that the malware is created by the Grayfly hackers, also known as GREF or Wicked Panda. The group also is dubbed APT41,[3] and some members were recently indicted in the US.

The recent campaign involving Sidewalk suggests that Grayfly has been undeterred by the publicity surrounding the indictments.

The recent surge in ProxyShell attacks

Researchers found that these recent campaigns of the Sidewalk malware were particularly focused on attacking MySQL servers when the initial malware vector exploits flaws in public-facing servers. There were many alerts[4] stating about the rising number of such ProxyShell attacks. At least 140 web shells were launched, targeting almost 2000 vulnerable Microsoft Exchange servers.

One of the reported vulnerabilities includes the CVE-2021-34523 flaw that allows the attacker to execute arbitrary code after the authentication on servers due to the flaw in service that is not validating access tokens properly. The malicious Sidewalk backdoor can be installed and executed after the web shell installation. Analysis shows that then Mimikatz credential-dropping tools then get launched. The malicious piece and a particular version of it got used in multiple Grayfly attacks before, hence the newly reported connection.

Grayfly targeting Asia, Europe, North America, and the range of industries

This hacker group has targeted various organizations in the food, financial, healthcare, hospitality, manufacturing, and telecommunications industries. Espionage attacks affected companies in Taiwan, Vietnam, Mexico, and the U.S. The more recent activities were discovered targeting telecom and media, finance, IT companies.

The group active at least since 2017 aims to publicly-facing web servers and spreads web shells before distributing the malware further on the targeted network. Custom backdoors can get installed to maintain undisrupted remote access. The espionage group is notorious for aiming to exploit publicly facing Microsoft Exchange or MySQL web servers so sensitive data can be obtained.

Three Chinese men from this group were indicted for the involvement in attacks targeted against more than 100 organizations in India, Hong Kong, Malaysia, Pakistan, Australia, Chile, and many other countries. These three actors, at the time, held senior positions in a company called Chengdu 404 that is described as network security specialists and supposedly employs the team of white hat hackers for penetration testing and other cybersecurity operations.

Men were charged for the attacks linked with the Chinese Ministry of State Security that, allegedly, provided them with a degree of state protection. Besides all these details and risks on organizations across the world, it is likely that the group will continue to develop new malware and prove the custom tools to evade detection, enhance the infiltration tactics and carry out additional attacks, researchers[5] say:

Grayfly is a capable actor, likely to continue to pose a risk to organizations in Asia and Europe across a variety of industries.

About the author
Ugnius Kiguolis
Ugnius Kiguolis - The mastermind

Ugnius Kiguolis is a professional malware analyst who is also the founder and the owner of 2-Spyware. At the moment, he takes over as Editor-in-chief.

Contact Ugnius Kiguolis
About the company Esolutions