Sidewalk backdoor linked to Grayfly espionage group

Researchers have recently discovered the Sidewalk modular backdoor has been linked to a Chinese Grayfly espionage group.

Symantec’s Threat Hunter Team discovered the Grayfly campaign, that has deployed Sidewalk against a number of entities in Taiwan, Vietnam, the United States, and Mexico. Many of those victims were in the telecom sector, but other targets include organizations within the media, finance, and IT service provider sectors.

Sidewalk was recently discovered and documented by ESET, who linked the malware to advanced persistent threat (APT) group SparklingGoblin, linked to the Winnti malware family.

Also known as GREF and Wicked Panda, Grayfly has been active since March 2017 and has previously used Crosswalk malware. Both Crosswalk and Sidewalk are modular backdoors designed to exfiltrate and run shellcode via a command-and-control (C2) server.

In the recent campaign, Grayfly targets internet facing web servers to install web shells for initial intrusion. The malware then will spread within the network looking for other vulnerable systems.

“Once a network has been compromised, Grayfly may install its custom backdoors onto additional systems. These tools allow the attackers to have comprehensive remote access to the network and proxy connections allowing them to access hard-to-reach segments of a target’s network,” Symantec wrote in a blog post.

Moreover, the threats actors appear to be targeting vulnerable public-facing Microsoft Exchange or MySQL servers.

“In at least one attack, the suspicious Exchange activity was followed by PowerShell commands used to install an unidentified web shell. Following this, the malicious backdoor was executed,” Symantec added.

Earlier this year, the FBI also helped remove malicious shells from hundreds of compromised Exchange servers.

Symantec also considers Grayfly the espionage arm of APT41, which has been responsible for other sub-groups like cybercrime group Blackfly.

Related Articles