.svg)
.svg)
Picus Labs has updated the Picus Threat Library with new attack methods for the SideWalk backdoor malware used by APT41.
APT41
APT41 (also known as Winnti, Group 72, BARIUM, LEAD, Grayfly, GREF, TG-2633, BRONZE ATLAS) is a targeted attack group that has been active throughout 2010. APT41 is a Chinese threat group that mainly targets countries in Europe, North America, and Asia. The majority of the group's targets are in the telecommunications, manufacturing, healthcare, government, aviation, oil, defense, and finance industries.
The newly uncovered Sidewalk backdoor has been attributed by Symantec to the China-affiliated Grayfly espionage group, which is considered to be the espionage arm of APT41 by Symantec researchers. They also keep track of other APT41 sub-groups separately, such as Blackfly, its cyber-crime unit.
MITRE ATT&CK Tactics and Techniques Used in SideWalk Campaign
Initial Access
The group appears to be particularly interested in exploiting vulnerable Microsoft Exchange or MySQL servers in the most recent campaign (MITRE ATT&CK T1190 Exploit Public-Facing Application).
Execution
The exploitation of a public-facing Exchange or MySQL server is followed by malicious PowerShell commands (MITRE ATT&CK T059.001 Command and Scripting Interpreter: PowerShell). PowerShell is a powerful interactive command-line shell and scripting language installed by default on Windows.
Attackers also use WMIC to run a Windows batch file (MITRE ATT&CK T1047 Windows Management Instrumentation).
|
WMIC /NODE:'[IP address]'; process call create 'cmd.exe /c c:\users\public\schtask.bat' |
Defense Evasion
The malicious PowerShell command is Base64 encoded (MITRE ATT&CK T1027 Obfuscated Files or Information).
This command utilizes the Certutil tool to decode and install a web shell (MITRE ATT&CK T1140 Deobfuscate/Decode Files or Information). Certutil is a command-line Windows tool for obtaining information about certificate authorities and configuring Certificate Services. However, attackers use Certutil to decode binaries hidden inside certificate files as Base64 information, download files from a given URL, and install browser root certificates to perform man-in-the-middle attacks.
Persistence
As mentioned above, PowerShell commands download and install a web shell (MITRE ATT&CK T1055.003 Server Software Component: Web Shell). Adversaries use web shells to backdoor web servers and gain persistent access to target systems. A Web shell is a Web script that is installed on the target Web server to allow an adversary to run commands on the system. In this attack campaign, APT41 utilizes the web shell to download the SideWalk backdoor malware.
As mentioned above, attackers use WMIC to run a Windows batch file (schtask.bat). This file is used to create a scheduled task to execute the backdoor and ensure persistence (MITRE ATT&CK T1053:005 Scheduled Task/Job: Scheduled Task).
Credential Access
After deploying the backdoor malware, APT41 uses a customized version of the credential-dumping tool Mimikatz (MITRE ATT&CK T1003: OS Credential Dumping).
Attack Simulation
You can test your security controls against the SideWalk backdoor malware using the Picus Continuous Security Validation Platform. We advise you to simulate SideWalk attacks and determine whether your security controls can prevent them or not. Picus Threat Library includes the following threats used in the SideWalk attack campaign of the APT41 threat group.
|
Picus ID |
Threat Name |
|
697954 |
Sidewalk Malware Loader used by Grayfly Threat Group .DLL File Download Variant-1 |
|
702528 |
Sidewalk Malware Loader used by Grayfly Threat Group .DLL File Download Variant-2 |
|
722302 |
Sidewalk Malware Loader used by Grayfly Threat Group .DLL File Download Variant-3 |
You can test the effectiveness of your endpoint security controls with the following attack scenario of APT41:
|
Picus ID |
Threat Name |
|
456406 |
APT41 Threat Group Attack Scenario |
Picus Threat Library also includes the following malware threats of the APT41 threat actors:
|
Picus ID |
Threat Name |
|
758260 |
Speculoos Backdoor used by APT41 Group .ELF File Download Variant-1 |
|
258837 |
Speculoos Backdoor used by APT41 Group .ELF File Download Variant-2 |
|
825372 |
Poisonplug Trojan used by APT41 Threat Group .DLL File Download Variant-1 |
|
232197 |
Poisonplug Trojan used by APT41 Threat Group .DLL File Download Variant-1 |
|
576388 |
Poisonplug Trojan used by APT41 Threat Group .DLL File Download Variant-3 |
|
361235 |
Poisonplug Trojan used by APT41 Threat Group .EXE File Download Variant-1 |
|
863797 |
Gearshift Backdoor Malware used by APT41 Threat Group .EXE File Download Variant-1 |
|
752120 |
Crackshot Backdoor Malware used by APT41 Threat Group .EXE File Download Variant-1 |
Indicators of Compromise (IOCs)
Webisapi46.exe
SHA-256: 04f6fc49da69838f5b511d8f996dc409a53249099bd71b3c897b98ad97fd867c
SHA-1: 4c8194c94e25d51a062fab3e0a3edcec349fe914
MD5: 5251b3f47b1ae8feb79642011b3a925b
dotnet.4.x64.dll
SHA-256: 1b5b37790b2029902d2d6db2da20da4d0d7846b20e32434f01b2d384eba0eded
SHA-1: 9d1940ed48190277c9d98ddbd7e4ea63ade5ceae
MD5: 1cb924170eb1964ad7414c01631cc10e
dotnet.4.x64.dll
SHA-256: b732bba813c06c1c92975b34eda400a84b5cc54a460eeca309dfecbe9b559bd4
SHA-1: 8c877f583dd1e317af4eb9e15c2d202f2f63e0d1
MD5: 7007877ec8545265722325231b434c79
References
[1] https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/grayfly-china-sidewalk-malware
