Security News > 2021 > September > Experts Link Sidewalk Malware Attacks to Grayfly Chinese Hacker Group
A previously undocumented backdoor that was recently found targeting an unnamed computer retail company based in the U.S. has been linked to a longstanding Chinese espionage operation dubbed Grayfly.
The cybersecurity firm attributed the intrusion to a group it tracks as SparklingGoblin, an adversary believed to be connected to the Winnti malware family.
Latest research published by researchers from Broadcom's Symantec has pinned the SideWalk backdoor on the China-linked espionage group, pointing out the malware's overlaps with the older Crosswalk malware, with the latest Grayfly hacking activities singling out a number of organizations in Mexico, Taiwan, the U.S., and Vietnam.
Known to be active at least since March 2017, Grayfly functions as the "Espionage arm of APT41" notorious for targeting a variety of industries in pursuit of sensitive data by exploiting publicly facing Microsoft Exchange or MySQL web servers to install web shells for initial intrusion, before spreading laterally across the network and install additional backdoors that enable the threat actor to maintain remote access and exfiltrate amassed information.
This was followed by executing a string of PowerShell commands to install an unidentified web shell, ultimately leading to the deployment of the Sidewalk backdoor and a custom variant of the Mimikatz credential-dumping tool that's been put to use in previous Grayfly attacks.
"It's likely this group will continue to develop and improve its custom tools to enhance evasion tactics along with using commodity tools such as publicly available exploits and web shells to assist in their attacks."
News URL
Related news
- Chinese Hackers Exploiting Ivanti VPN Flaws to Deploy New Malware (source)
- Chinese State Hackers Target Tibetans with Supply Chain, Watering Hole Attacks (source)
- TA558 Hackers Weaponize Images for Wide-Scale Malware Attacks (source)
- Chinese PC-maker Acemagic customized its own machines to get infected with malware (source)
- Lazarus Hackers Exploited Windows Kernel Flaw as Zero-Day in Recent Attacks (source)
- CISA warns of Microsoft Streaming bug exploited in malware attacks (source)
- Hackers target FCC, crypto firms in advanced Okta phishing attacks (source)
- Hackers steal Windows NTLM authentication hashes in phishing attacks (source)
- Hackers Exploit ConnectWise ScreenConnect Flaws to Deploy TODDLERSHARK Malware (source)
- Hackers target Docker, Hadoop, Redis, Confluence with new Golang malware (source)