Security News > 2021 > August > ProxyLogon flaw, evil emails, SQL injections used to open backdoors on Windows boxes

ESET and TrendMicro have identified a novel and sophisticated backdoor tool that miscreants have slipped onto compromised Windows computers in companies mostly in Asia but also in North America.

TrendMicro's researchers speculate that the design of the malware indicates that at least one member of the group is familiar with the tools and techniques of security red teams while the SideWalk/ScrambleCross backdoor suggests personnel with deep knowledge of low-level programming and advanced software development.

"SideWalk is a modular backdoor that can dynamically load additional modules sent from its C&C server, makes use of Google Docs as a dead drop resolver, and Cloudflare workers as a C&C server," explain ESET researchers Thibaut Passilly and Mathieu Tartare, in a blog post.

Trend Micro researchers Hara Hiroaki and Ted Lee peg the group's current malware to July 2020 and point to its use of similar malware in a different but still ongoing campaign, dubbed LavagokLdr, that began in November 2018.

The SideWalk/ScrambleCross backdoor can be installed various ways, according to TrendMicro, such as injection of an SQL script into a system's Microsoft SQL Server, exploitation of the Microsoft Exchange Server ProxyLogon vulnerability, a malicious email attachment, or use of the Windows InstallUtil.

The backdoor module will set itself up, decrypt its instructions, verify its integrity as a defense against tampering, and connect with a Cloudflare Worker that serves as its C&C server and with a Google Docs page that functions as a dead-drop resolver - the page data contains an IP address pointing to the C&C server.

News URL

https://go.theregister.com/feed/www.theregister.com/2021/08/25/backdoor_security_asia/