CB TAU Threat Intelligence Notification: State-Sponsored Espionage Group Targeting Multiple Verticals with ‘Crosswalk’

FireEye recently reported on APT41, a Chinese state-sponsored espionage group. The group has been documented as targeting healthcare, high-tech, and telecommunications companies for traditional corporate espionage purposes. Additionally this group has also targeted companies in the video game industry for financial gain. Crosswalk is a modular backdoor application that gathers information and is capable of executing shell code in response to C2 messages. The Carbon Black Threat Analysis Unit (TAU) provides the product rules to detect and protect from the malware execution.

Behavioral Summary

Once executed Crosswalk will dynamically load and execute additional code appended to the end of the binary. The additional code makes use of dynamically resolved imports to make analysis more complex. After loading the necessary APIs the malware will begin to gather host information. The malware collects the following information:

  • A generated UUID
  • Local IP address
  • Windows version number
  • User name
  • Computer name

CB Defense will record the following TTPs for the malware.

The malware attempts to communicate over well known ports ( TCP 80 and 443). However the traffic that is sent to the C2 does not make use of the HTTP protocol. The malware has a custom protocol that it uses. The malware uses the UUID it generated, hashes that information and then derives AES 128-bit session keys for encryption. The data sent to the C2 server contains the UUID in plaintext as well as the encrypted information.

If you are a Carbon Black customer looking to learn how to defend against this attack, click here.

MITRE ATT&CK TIDs

TID Tactic Description
T1140 Defense Evasion Deobfuscate/Decode Files or Information
T1082 Discovery System Information Discovery
T1016 Discovery System Network Configuration Discovery
T1033 Discovery System Owner/User Discovery
T1043 Command And Control Commonly Used Port
T1094 Command And Control Custom Command and Control Protocol
T1032 Command And Control Standard Cryptographic Protocol

Indicators of Compromise (IOCs)

Indicator Type Context
300519fa1af5c36371ab438405eb641f184bd2f491bdf24f04e5ca9b86d1b39c SHA256 Crosswalk 32-bit executable
db866ef07dc1f2e1df1e6542323bc672dd245d88c0ee91ce0bd3da2c95aedf68 SHA256 Crosswalk 32-bit executable
f6d0cd5b6aa6ccea3ba3cb63b26420f6579d4a07164944e1013e093c521c5687 SHA256 Crosswalk 64-bit executable
9d0ac935b9e0d6c86fc2904477638af6e4b68d020c2956912e5109cc6219c08f SHA256 Crosswalk 64-bit DLL
160.16.85.174 TCP/443 C2
45.32.226.32 TCP/443 C2

 

The post CB TAU Threat Intelligence Notification: State-Sponsored Espionage Group Targeting Multiple Verticals with ‘Crosswalk’ appeared first on Carbon Black.

Article Link: https://www.carbonblack.com/2019/09/04/cb-tau-threat-intelligence-notification-state-sponsored-espionage-group-targeting-multiple-verticals-with-crosswalk/