An undocumented backdoor was found to be used by a Chinese espionage group Grayfly to infiltrate a US-based computer retailer. In August, security firm ESET revealed all the information about an implant known as SideWalk. The implant is designed to collect information from corrupted systems by installing arbitrary plugins into the hacked system from the servers managed by the threat actors.
According to the cybersecurity firm, an adversary known as SparklingGoblin gained access to the US-based computer retail company’s network. It was believed that the group was connected to the Winnti malware family (aka APT41).
The researchers from security firm Broadcom’s Symantec believe that the SideWalk Trojan has similarities with the Crosswalk malware, which was also based out of China. The company also noted that the latest Grayfly attacks have targeted organizations from various countries, including Vietnam, Taiwan, the USA, and Mexico. And Symantec’s Threat Hunter department revealed that the recent series of attacks targeted various industries, including telecommunications, IT, and media.
Known to be active since 2017, Grayfly is an espionage division of APT41, which targets various industries with the sole motive of stealing sensitive information. It exploits publicly-facing web servers to install webshells for data theft and exfiltration.
Symantec observed an incident where the threat actors initiated the attack by accessing an internet-accessible Microsoft Exchange server. The attacker gained access to the server’s settings and launched a string of PowerShell commands. The resulting attack was completed with the deployment of Sidewalk backdoor and a Mimikatz credential-dumping tool.
The researchers said that Grayfly is a capable actor, one that is most likely to continue developing and improving its techniques and tools to exploit vulnerable public servers in Asia and Europe across a variety of industries, including telecommunications, finance, and media.