Pierluigi Paganini September 10, 2021

Security researchers from Broadcom’s Symantec linked a previously undocumented backdoor to the Chinese Grayfly operation.

Experts from Broadcom’s Symantec linked a previously undocumented backdoor to the Chinese Grayfly operation.

In late August, ESET researchers uncovered the SideWalk backdoor that was employed by the Chine cyberespionage group in an attack aimed at a computer retail company based in the U.S.. The APT group primarily focuses on attacks against organizations in East and Southeast Asia, the group has been particularly active in recent years.

“The malware, which is related to the older Crosswalk backdoor (Backdoor.Motnug) has been deployed in recent Grayfly campaigns against a number of organizations in Taiwan, Vietnam, the United States, and Mexico. A feature of this recent campaign was that a large number of targets were in the telecoms sector. The group also attacked organizations in the IT, media, and finance sectors.” reads the analysis published by Broadcom’s Symantec.

The arsenal of the cyber espionage group includes the Barlaiy/POISONPLUG and Crosswalk/ProxIP (Backdoor.Motnug) malware.

In September 2020, US Department of Justice announced indictments against 5 Chinese nationals alleged members of a state-sponsored hacking group known as APT41. Three of them (Jiang Lizhi, Qian Chuan, and Fu Qiang) were involved in the Grayfly tools and tactics.

The recently discovered implant is related to the older Crosswalk backdoor (Backdoor.Motnug), it has been used in recent Grayfly operations against a number of organizations in Taiwan, Vietnam, the United States, and Mexico.

Most of the victims were in the telecoms sector, followed by the IT, media, and finance sectors.

A characteristic of the recent Sidewalk campaign was that the threat actors focused on exposed Microsoft Exchange or MySQL servers. Once compromised publicly facing Microsoft Exchange or MySQL web servers to deploy web shells, the attackers spread laterally across the target network and leverage additional backdoors to maintain persistence and exfiltrate sensitive data.

“In at least one attack, the suspicious Exchange activity was followed by PowerShell commands used to install an unidentified web shell. Following this, the malicious backdoor was executed.” continues the analysis. “After the installation of the backdoor, the attackers deployed a custom version of the credential-dumping tool Mimikatz. This version of Mimikatz has been used previously in Grayfly attacks.”

Symantec attributes the recent attacks to the SparklingGoblin APT, which is believed to be under the umbrella of the China-linked Winnti (aka APT41) APT group.

“Grayfly is a capable actor, likely to continue to pose a risk to organizations in Asia and Europe across a variety of industries, including telecommunications, finance, and media,” the researchers conclude. “It’s likely this group will continue to develop and improve its custom tools to enhance evasion tactics along with using commodity tools such as publicly available exploits and web shells to assist in their attacks.”

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Grayfly )

[adrotate banner=”5″]

[adrotate banner=”13″]