FireEye recently reported on APT41, a Chinese state-sponsored espionage group. The group has been documented as targeting healthcare, high-tech, and telecommunications companies for traditional corporate espionage purposes. Additionally this group has also targeted companies in the video game industry for financial gain. Crosswalk is a modular backdoor application that gathers information and is capable of executing shell code in response to C2 messages. The Carbon Black Threat Analysis Unit (TAU) provides the product rules to detect and protect from the malware execution.
Behavioral Summary
Once executed Crosswalk will dynamically load and execute additional code appended to the end of the binary. The additional code makes use of dynamically resolved imports to make analysis more complex. After loading the necessary APIs the malware will begin to gather host information. The malware collects the following information:
- A generated UUID
- Local IP address
- Windows version number
- User name
- Computer name
CB Defense will record the following TTPs for the malware.
The malware attempts to communicate over well known ports ( TCP 80 and 443). However the traffic that is sent to the C2 does not make use of the HTTP protocol. The malware has a custom protocol that it uses. The malware uses the UUID it generated, hashes that information and then derives AES 128-bit session keys for encryption. The data sent to the C2 server contains the UUID in plaintext as well as the encrypted information.
If you are a Carbon Black customer looking to learn how to defend against this attack, click here.
MITRE ATT&CK TIDs
TID | Tactic | Description |
---|---|---|
T1140 | Defense Evasion | Deobfuscate/Decode Files or Information |
T1082 | Discovery | System Information Discovery |
T1016 | Discovery | System Network Configuration Discovery |
T1033 | Discovery | System Owner/User Discovery |
T1043 | Command And Control | Commonly Used Port |
T1094 | Command And Control | Custom Command and Control Protocol |
T1032 | Command And Control | Standard Cryptographic Protocol |
Indicators of Compromise (IOCs)
Indicator | Type | Context |
---|---|---|
300519fa1af5c36371ab438405eb641f184bd2f491bdf24f04e5ca9b86d1b39c | SHA256 | Crosswalk 32-bit executable |
db866ef07dc1f2e1df1e6542323bc672dd245d88c0ee91ce0bd3da2c95aedf68 | SHA256 | Crosswalk 32-bit executable |
f6d0cd5b6aa6ccea3ba3cb63b26420f6579d4a07164944e1013e093c521c5687 | SHA256 | Crosswalk 64-bit executable |
9d0ac935b9e0d6c86fc2904477638af6e4b68d020c2956912e5109cc6219c08f | SHA256 | Crosswalk 64-bit DLL |
160.16.85.174 | TCP/443 | C2 |
45.32.226.32 | TCP/443 | C2 |
The post CB TAU Threat Intelligence Notification: State-Sponsored Espionage Group Targeting Multiple Verticals with ‘Crosswalk’ appeared first on Carbon Black.