Chinese Group Grayfly Uses SideWalk Backdoor

Admin

19 Sep, 2021

A campaign that targeted the U.S. media organizations and retailers using SideWalk backdoor last month has been spotted again. At that time, it was used by the SparklingGoblin APT group, whereas it has been recently spotted in Grayfly campaigns.

Discussing Grayfly campaigns

Grayfly is a threat group active since March 2017 and known to use the custom backdoor Motnug (aka CrossWalk), a custom loader Trojan.Chattak, Cobalt Strike, and additional tools in their attacks.

While most victims in the recent campaign are from the telecom sector, some victims also belong from the media, IT, and finance firms located in Vietnam, Mexico, the U.S., and Taiwan.
The group is focused on targeting vulnerable Microsoft Exchange or MySQL servers. The initial vector could be the abuse of various vulnerabilities in public servers.
In one of the attacks, a suspicious Exchange activity was found using PowerShell commands for installing an unknown web shell backdoor.
After the backdoor is installed, the attackers deliver a custom version of Mimikatz (a credential-dumping tool).

An incident from last year

In 2020, three men were charged in the U.S. for playing a role in the Grayfly attacks. All three individuals were Chinese and worked for the Chengdu 404 firm.
The firm describes itself as a network security specialist and claims to have a team of white hat hackers who can carry out penetration testing and other security operations.
All men were involved in attacks against over 100 different organizations based in the U.S., South Korea, Japan, India, Taiwan, Hong Kong, Malaysia, Vietnam, and India, among other countries.
One of the individuals was believed to have a working relationship with the Chinese Ministry of State Security, which is surmised to be providing them some sort of state protection.

Conclusion

Grayfly was observed refining its tools and evasion tactics to become more successful, indicating that the group will maximize its target victims in Asia and Europe, across multiple industries. Therefore, it is important for security experts to keep an eye on this threat while using shared threat intelligence to detect and stop these attacks.

Source: https://cyware.com/

<!--

<script type="text/javascript" src="https://www.blogger.com/static/v1/widgets/1807328581-widgets.js"></script>
<script type='text/javascript'>
window['__wavt'] = 'AOuZoY5nwKpLpyIGHVnK-kI1A88WMSOzfg:1714116860876';_WidgetManager._Init('//www.blogger.com/rearrange?blogID\x3d8315132940176638004','//www.cyberlaw.eu.org/2021/09/chinese-group-grayfly-uses-sidewalk.html','8315132940176638004');
_WidgetManager._SetDataContext([{'name': 'blog', 'data': {'blogId': '8315132940176638004', 'title': 'Cyberlaw', 'url': 'https://www.cyberlaw.eu.org/2021/09/chinese-group-grayfly-uses-sidewalk.html', 'canonicalUrl': 'https://www.cyberlaw.eu.org/2021/09/chinese-group-grayfly-uses-sidewalk.html', 'homepageUrl': 'https://www.cyberlaw.eu.org/', 'searchUrl': 'https://www.cyberlaw.eu.org/search', 'canonicalHomepageUrl': 'https://www.cyberlaw.eu.org/', 'blogspotFaviconUrl': 'https://www.cyberlaw.eu.org/favicon.ico', 'bloggerUrl': 'https://www.blogger.com', 'hasCustomDomain': true, 'httpsEnabled': true, 'enabledCommentProfileImages': true, 'gPlusViewType': 'FILTERED_POSTMOD', 'adultContent': false, 'analyticsAccountNumber': '', 'encoding': 'UTF-8', 'locale': 'en', 'localeUnderscoreDelimited': 'en', 'languageDirection': 'ltr', 'isPrivate': false, 'isMobile': false, 'isMobileRequest': false, 'mobileClass': '', 'isPrivateBlog': false, 'isDynamicViewsAvailable': true, 'feedLinks': '\x3clink rel\x3d\x22alternate\x22 type\x3d\x22application/atom+xml\x22 title\x3d\x22Cyberlaw - Atom\x22 href\x3d\x22https://www.cyberlaw.eu.org/feeds/posts/default\x22 /\x3e\n\x3clink rel\x3d\x22alternate\x22 type\x3d\x22application/rss+xml\x22 title\x3d\x22Cyberlaw - RSS\x22 href\x3d\x22https://www.cyberlaw.eu.org/feeds/posts/default?alt\x3drss\x22 /\x3e\n\x3clink rel\x3d\x22service.post\x22 type\x3d\x22application/atom+xml\x22 title\x3d\x22Cyberlaw - Atom\x22 href\x3d\x22https://www.blogger.com/feeds/8315132940176638004/posts/default\x22 /\x3e\n\n\x3clink rel\x3d\x22alternate\x22 type\x3d\x22application/atom+xml\x22 title\x3d\x22Cyberlaw - Atom\x22 href\x3d\x22https://www.cyberlaw.eu.org/feeds/3753631314178046366/comments/default\x22 /\x3e\n', 'meTag': '', 'adsenseHostId': 'ca-host-pub-1556223355139109', 'adsenseHasAds': false, 'adsenseAutoAds': false, 'boqCommentIframeForm': true, 'loginRedirectParam': '', 'view': '', 'dynamicViewsCommentsSrc': '//www.blogblog.com/dynamicviews/4224c15c4e7c9321/js/comments.js', 'dynamicViewsScriptSrc': '//www.blogblog.com/dynamicviews/16e657cb9c57b8a2', 'plusOneApiSrc': 'https://apis.google.com/js/platform.js', 'disableGComments': true, 'interstitialAccepted': false, 'sharing': {'platforms': [{'name': 'Get link', 'key': 'link', 'shareMessage': 'Get link', 'target': ''}, {'name': 'Facebook', 'key': 'facebook', 'shareMessage': 'Share to Facebook', 'target': 'facebook'}, {'name': 'BlogThis!', 'key': 'blogThis', 'shareMessage': 'BlogThis!', 'target': 'blog'}, {'name': 'Twitter', 'key': 'twitter', 'shareMessage': 'Share to Twitter', 'target': 'twitter'}, {'name': 'Pinterest', 'key': 'pinterest', 'shareMessage': 'Share to Pinterest', 'target': 'pinterest'}, {'name': 'Email', 'key': 'email', 'shareMessage': 'Email', 'target': 'email'}], 'disableGooglePlus': true, 'googlePlusShareButtonWidth': 0, 'googlePlusBootstrap': '\x3cscript type\x3d\x22text/javascript\x22\x3ewindow.___gcfg \x3d {\x27lang\x27: \x27en\x27};\x3c/script\x3e'}, 'hasCustomJumpLinkMessage': false, 'jumpLinkMessage': 'Read more', 'pageType': 'item', 'postId': '3753631314178046366', 'postImageUrl': 'https://cyware-ent.s3.amazonaws.com/image_bank/b7ac_shutterstock_1149122297.jpg', 'pageName': 'Chinese Group Grayfly Uses SideWalk Backdoor', 'pageTitle': 'Cyberlaw: Chinese Group Grayfly Uses SideWalk Backdoor', 'metaDescription': ''}}, {'name': 'features', 'data': {}}, {'name': 'messages', 'data': {'edit': 'Edit', 'linkCopiedToClipboard': 'Link copied to clipboard!', 'ok': 'Ok', 'postLink': 'Post Link'}}, {'name': 'template', 'data': {'name': 'custom', 'localizedName': 'Custom', 'isResponsive': true, 'isAlternateRendering': false, 'isCustom': true}}, {'name': 'view', 'data': {'classic': {'name': 'classic', 'url': '?view\x3dclassic'}, 'flipcard': {'name': 'flipcard', 'url': '?view\x3dflipcard'}, 'magazine': {'name': 'magazine', 'url': '?view\x3dmagazine'}, 'mosaic': {'name': 'mosaic', 'url': '?view\x3dmosaic'}, 'sidebar': {'name': 'sidebar', 'url': '?view\x3dsidebar'}, 'snapshot': {'name': 'snapshot', 'url': '?view\x3dsnapshot'}, 'timeslide': {'name': 'timeslide', 'url': '?view\x3dtimeslide'}, 'isMobile': false, 'title': 'Chinese Group Grayfly Uses SideWalk Backdoor', 'description': 'Cyberlaw.eu.org is an online publication that helps people navigate a safe path through their increasingly complex digital lives.', 'featuredImage': 'https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_uaGRfvsjRMPRgMzj6I2aiIfjAJ89ntDnXOGt1iThqu1iHBRluo2E8Ye78F7eolyQaPxPGudh8MlMhK3f_8Edtcmn9rFH4l_XcxGkWd0NBmCIu19_nsP8sdzowl9T59y_dogmLXM6wflY4-w85E0C3zoqc', 'url': 'https://www.cyberlaw.eu.org/2021/09/chinese-group-grayfly-uses-sidewalk.html', 'type': 'item', 'isSingleItem': true, 'isMultipleItems': false, 'isError': false, 'isPage': false, 'isPost': true, 'isHomepage': false, 'isArchive': false, 'isLabelSearch': false, 'postId': 3753631314178046366}}, {'name': 'widgets', 'data': [{'title': 'Logo', 'type': 'HTML', 'sectionId': 'header-main', 'id': 'HTML50'}, {'title': 'Menu', 'type': 'PageList', 'sectionId': 'header-main', 'id': 'PageList50'}, {'title': 'SVG Icons', 'type': 'HTML', 'sectionId': 'icons', 'id': 'HTML58'}, {'title': 'Blog Posts', 'type': 'Blog', 'sectionId': 'blog-post', 'id': 'Blog50', 'posts': [{'id': '3753631314178046366', 'title': 'Chinese Group Grayfly Uses SideWalk Backdoor', 'featuredImage': 'https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_uaGRfvsjRMPRgMzj6I2aiIfjAJ89ntDnXOGt1iThqu1iHBRluo2E8Ye78F7eolyQaPxPGudh8MlMhK3f_8Edtcmn9rFH4l_XcxGkWd0NBmCIu19_nsP8sdzowl9T59y_dogmLXM6wflY4-w85E0C3zoqc', 'showInlineAds': false}], 'footerBylines': [], 'allBylineItems': []}, {'title': '', 'type': 'Image', 'sectionId': 'sidebar-static', 'id': 'Image1'}, {'title': 'Popular Posts', 'type': 'PopularPosts', 'sectionId': 'sidebar-static', 'id': 'PopularPosts50', 'posts': [{'title': '46% of all on-prem databases are vulnerable to attack, breaches expected to grow', 'id': 7790416452275736488}, {'title': 'ProtonMail shared activist\x27s IP with law enforcement, claims had no other choice', 'id': 3008301597554200192}, {'title': 'Google patches 10th Chrome zero-day exploited in the wild this year', 'id': 7089575375688601033}, {'title': 'Cisco Patches Critical Vulnerabilities in IOS XE Software', 'id': 1823637314326203949}, {'title': 'SSID Stripping: New Method for Tricking Users Into Connecting to Rogue APs', 'id': 5218617025854254661}]}, {'title': 'Categories', 'type': 'Label', 'sectionId': 'sidebar-static', 'id': 'Label50'}, {'title': 'About Us', 'type': 'HTML', 'sectionId': 'footer-widget', 'id': 'HTML55'}, {'title': '', 'type': 'LinkList', 'sectionId': 'footer-widget', 'id': 'LinkList50'}, {'title': 'Follow Us', 'type': 'LinkList', 'sectionId': 'footer-widget', 'id': 'LinkList51'}, {'title': 'Copyright', 'type': 'HTML', 'sectionId': 'copyright', 'id': 'HTML56'}]}]);
_WidgetManager._RegisterWidget('_HTMLView', new _WidgetInfo('HTML50', 'header-main', document.getElementById('HTML50'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_PageListView', new _WidgetInfo('PageList50', 'header-main', document.getElementById('PageList50'), {'title': 'Menu', 'links': [{'isCurrentPage': false, 'href': '/search/label/News?max-results\x3d10', 'title': 'News'}, {'isCurrentPage': false, 'href': '/search/label/Cyber?max-results\x3d10', 'title': 'Cyber'}, {'isCurrentPage': false, 'href': '/search/label/Hacking?max-results\x3d10', 'title': 'Hacking'}, {'isCurrentPage': false, 'href': '/search/label/Vulnerable?max-results\x3d10', 'title': 'Vulnerable'}, {'isCurrentPage': false, 'href': '/search/label/Privacy?max-results\x3d10', 'title': 'Privacy'}], 'mobile': false, 'showPlaceholder': true, 'hasCurrentPage': false}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_HTMLView', new _WidgetInfo('HTML58', 'icons', document.getElementById('HTML58'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_BlogView', new _WidgetInfo('Blog50', 'blog-post', document.getElementById('Blog50'), {'cmtInteractionsEnabled': false, 'lightboxEnabled': true, 'lightboxModuleUrl': 'https://www.blogger.com/static/v1/jsbin/1666805145-lbx.js', 'lightboxCssUrl': 'https://www.blogger.com/static/v1/v-css/13464135-lightbox_bundle.css'}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_ImageView', new _WidgetInfo('Image1', 'sidebar-static', document.getElementById('Image1'), {'resize': false}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_PopularPostsView', new _WidgetInfo('PopularPosts50', 'sidebar-static', document.getElementById('PopularPosts50'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_LabelView', new _WidgetInfo('Label50', 'sidebar-static', document.getElementById('Label50'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_HTMLView', new _WidgetInfo('HTML55', 'footer-widget', document.getElementById('HTML55'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_LinkListView', new _WidgetInfo('LinkList50', 'footer-widget', document.getElementById('LinkList50'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_LinkListView', new _WidgetInfo('LinkList51', 'footer-widget', document.getElementById('LinkList51'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_HTMLView', new _WidgetInfo('HTML56', 'copyright', document.getElementById('HTML56'), {}, 'displayModeFull'));
</script>
</body>

-->