ProxyLogon flaw, malicious emails, SQL injections used to open backdoors on Windows mailboxes • The Register
ESET and TrendMicro have identified an innovative and sophisticated backdoor tool that criminals have sneaked onto compromised Windows computers in companies mainly in Asia but also in North America.
As usual in the infosec world, the two security teams cannot agree on a name for this remote access module. ESET refers to the malware as SideWalk and the group responsible for it as SparklingGoblin; TrendMicro prefers ScrambleCross and calls out the threatening actor Earth Baku, although he acknowledges that the disbelievers are better known as APT41.
TrendMicro researchers speculate that the malware’s design indicates that at least one group member is familiar with the tools and techniques of Red Security Teams, while the SideWalk / ScrambleCross backdoor suggests personnel with in-depth knowledge of the security team. low level programming and advanced software development.
Regardless of the current make-up of the threat group and the terminology involved, this is not the type of malware you want to find on your network.
“SideWalk is a modular backdoor that can dynamically load additional modules sent from its C&C [command and control] server, uses Google Docs as a deadfall resolver and Cloudflare workers as a C&C server, “ESET researchers Thibaut Passilly and Mathieu Tartare explain in a blog post.” It can also properly handle communication behind a proxy. “
According to Passilly and Tartare, SideWalk has been used against the academic sector in Macau, Hong Kong and Taiwan, the education sector in Canada, a religious organization and a computer manufacturer in Taiwan, government organizations in Southeast Asia. Is and a computer retailing company in the United States, among others.
SparkingGoblin / Earth Baku has been running this particular campaign since mid-2020 and continues to do so, according to Passilly and Tartare.
Trend Micro researchers Hara Hiroaki and Ted Lee link the group’s current malware to July 2020 and highlight its use of similar malware in a different but still ongoing campaign dubbed LavagokLdr, which began in November 2018. ESET calls the payload LavagokLdr CrossWalk, which was analyzed in 2019 by Carbon Black, acquired by VMware.
According to TrendMicro, the SideWalk / ScrambleCross backdoor can be installed in various ways, such as injecting an SQL script into a system’s Microsoft SQL server, exploiting the Microsoft Exchange Server ProxyLogon vulnerability (CVE-2021 -26855), a malicious attachment, or using Windows
InstallUtil.exe installer to run a compromised scheduled task.
The backdoor module will install itself, decrypt its instructions, verify its integrity as a tamper defense, and connect to a Cloudflare Worker that acts as its C&C server and a Google Docs page that functions as a dead point resolver. – the data page contains an IP address pointing to the C&C server.
Once up and running on a system, SideWalk / ScrambleCross allows its controllers to download other modules, collect information, execute data theft code and impersonate logged in users, among other features.
Affected network administrators and cybersecurity personnel may wish to view Indicators of Compromise to see if such software exists on their systems. ®