An implant operation called SideWalk, which is designed to load arbitrary plugins sent from an attacker-controlled server, gather information about running processes in the compromised systems, and transmit the results back to the remote server. Earlier tracked as Sparkling Goblin (APT41) family
Latest research published by researchers pinned the SideWalk backdoor on the China-linked espionage group, pointing out the malware’s overlaps with the older Crosswalk malware, with the latest Grayfly hacking activities singling out a number of organizations in Mexico, Taiwan, the U.S., and Vietnam.
The group also attacked organizations in the IT, media, and finance sectors. Targeting a variety of industries in pursuit of sensitive data by exploiting publicly facing Microsoft Exchange or MySQL web servers to install web shells for initial intrusion.
The malicious cyber activity started with targeting an internet reachable Microsoft Exchange server to gain an initial foothold into the network. This followed by executing a string of PowerShell commands to install an unidentified web shell, ultimately leading to the deployment of the Sidewalk backdoor and a custom variant of the Mimikatz credential-dumping tool that’s been put to use in previous Grayfly attacks.
Grayfly to pose a risk to organizations in Asia and Europe across a variety of industries, including telecommunications, finance, and media. It’s likely this group will continue to develop and improve its custom tools to enhance evasion tactics along with using commodity tools such as publicly available exploits and web shells to assist in their attacks.