Picus Threat Library Updated for SideWalk Backdoor Malware of APT41

Keep up to date with latest blog posts

Picus Labs has updated the Picus Threat Library with new attack methods for the SideWalk backdoor malware used by APT41.

APT41

APT41 (also known as Winnti, Group 72, BARIUM, LEAD, Grayfly, GREF, TG-2633, BRONZE ATLAS) is a targeted attack group that has been active throughout 2010. APT41 is a Chinese threat group that mainly targets countries in Europe, North America, and Asia. The majority of the group's targets are in the telecommunications, manufacturing, healthcare, government, aviation, oil, defense, and finance industries.

The newly uncovered Sidewalk backdoor has been attributed by Symantec to the China-affiliated Grayfly espionage group, which is considered to be the espionage arm of APT41 by Symantec researchers. They also keep track of other APT41 sub-groups separately, such as Blackfly, its cyber-crime unit.

MITRE ATT&CK Tactics and Techniques Used in SideWalk Campaign

Initial Access

The group appears to be particularly interested in exploiting vulnerable Microsoft Exchange or MySQL servers in the most recent campaign (MITRE ATT&CK T1190 Exploit Public-Facing Application). 

Execution

The exploitation of a public-facing Exchange or MySQL server is followed by malicious PowerShell commands (MITRE ATT&CK T059.001 Command and Scripting Interpreter: PowerShell). PowerShell is a powerful interactive command-line shell and scripting language installed by default on Windows.

Attackers also use WMIC to run a Windows batch file (MITRE ATT&CK T1047 Windows Management Instrumentation).

WMIC /NODE:'[IP address]'; process call create 'cmd.exe /c c:\users\public\schtask.bat'

 

Defense Evasion

The malicious PowerShell command is Base64 encoded (MITRE ATT&CK T1027 Obfuscated Files or Information). 

This command utilizes the Certutil tool to decode and install a web shell (MITRE ATT&CK T1140 Deobfuscate/Decode Files or Information). Certutil is a command-line Windows tool for obtaining information about certificate authorities and configuring Certificate Services. However, attackers use Certutil to decode binaries hidden inside certificate files as Base64 information, download files from a given URL, and install browser root certificates to perform man-in-the-middle attacks.

Persistence

As mentioned above, PowerShell commands download and install a web shell (MITRE ATT&CK T1055.003 Server Software Component: Web Shell). Adversaries use web shells to backdoor web servers and gain persistent access to target systems. A Web shell is a Web script that is installed on the target Web server to allow an adversary to run commands on the system. In this attack campaign, APT41 utilizes the web shell to download the SideWalk backdoor malware.

As mentioned above, attackers use WMIC to run a Windows batch file (schtask.bat). This file is used to create a scheduled task to execute the backdoor and ensure persistence (MITRE ATT&CK T1053:005 Scheduled Task/Job: Scheduled Task).

Credential Access

After deploying the backdoor malware, APT41 uses a customized version of the credential-dumping tool Mimikatz (MITRE ATT&CK T1003: OS Credential Dumping).

Attack Simulation

You can test your security controls against the SideWalk backdoor malware using the Picus Continuous Security Validation Platform. We advise you to simulate  SideWalk attacks and determine whether your security controls can prevent them or not. Picus Threat Library includes the following threats used in the SideWalk attack campaign of the APT41 threat group.

Picus ID

Threat Name

697954

Sidewalk Malware Loader used by Grayfly Threat Group .DLL File Download Variant-1

702528

Sidewalk Malware Loader used by Grayfly Threat Group .DLL File Download Variant-2

722302

Sidewalk Malware Loader used by Grayfly Threat Group .DLL File Download Variant-3

 

 

 

 

 

You can test the effectiveness of your endpoint security controls with the following attack scenario of APT41:

Picus ID

Threat Name

456406

APT41 Threat Group Attack Scenario

 

 

 

Picus Threat Library also includes the following malware threats of the APT41 threat actors:

Picus ID

Threat Name

758260

Speculoos Backdoor used by APT41 Group .ELF File Download Variant-1

258837

Speculoos Backdoor used by APT41 Group .ELF File Download Variant-2

825372

Poisonplug Trojan used by APT41 Threat Group .DLL File Download Variant-1

232197

Poisonplug Trojan used by APT41 Threat Group .DLL File Download Variant-1

576388

Poisonplug Trojan used by APT41 Threat Group .DLL File Download Variant-3

361235

Poisonplug Trojan used by APT41 Threat Group .EXE File Download Variant-1

863797

Gearshift Backdoor Malware used by APT41 Threat Group .EXE File Download Variant-1

752120

Crackshot Backdoor Malware used by APT41 Threat Group .EXE File Download Variant-1

Indicators of Compromise (IOCs)

Webisapi46.exe

SHA-256: 04f6fc49da69838f5b511d8f996dc409a53249099bd71b3c897b98ad97fd867c

SHA-1: 4c8194c94e25d51a062fab3e0a3edcec349fe914

MD5: 5251b3f47b1ae8feb79642011b3a925b

 

dotnet.4.x64.dll

SHA-256: 1b5b37790b2029902d2d6db2da20da4d0d7846b20e32434f01b2d384eba0eded

SHA-1: 9d1940ed48190277c9d98ddbd7e4ea63ade5ceae

MD5: 1cb924170eb1964ad7414c01631cc10e

 

dotnet.4.x64.dll

SHA-256: b732bba813c06c1c92975b34eda400a84b5cc54a460eeca309dfecbe9b559bd4

SHA-1: 8c877f583dd1e317af4eb9e15c2d202f2f63e0d1

MD5: 7007877ec8545265722325231b434c79

References

[1] https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/grayfly-china-sidewalk-malware

Subscribe

Keep up to date with latest blog posts