{ "Event": { "analysis": "1", "date": "2021-09-09", "extends_uuid": "", "info": "[Threat Intel] Grayfly: Chinese Threat Actor Uses Newly-discovered Sidewalk Malware", "protected": false, "publish_timestamp": "1780039618", "published": true, "threat_level_id": "1", "timestamp": "1772901946", "uuid": "a58cbce5-e0fa-4016-9bff-031c1997cda8", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#f28fb8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"OS Credential Dumping - T1003\"", "relationship_type": "" }, { "colour": "#dac154", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Network Connections Discovery - T1049\"", "relationship_type": "" }, { "colour": "#20f80d", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Command and Scripting Interpreter - T1059\"", "relationship_type": "" }, { "colour": "#6d779a", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exploitation for Privilege Escalation - T1068\"", "relationship_type": "" }, { "colour": "#bf2644", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Server Software Component - T1505\"", "relationship_type": "" }, { "colour": "#755c09", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"PowerShell - T1059.001\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#33360c", "local": false, "name": "misp-galaxy:target-information=\"Thailand\"", "relationship_type": "" }, { "colour": "#7dbb86", "local": false, "name": "misp-galaxy:target-information=\"Singapore\"", "relationship_type": "" }, { "colour": "#f9cdc4", "local": false, "name": "misp-galaxy:target-information=\"Indonesia\"", "relationship_type": "" }, { "colour": "#4bec12", "local": false, "name": "misp-galaxy:target-information=\"Chile\"", "relationship_type": "" }, { "colour": "#ce59f1", "local": false, "name": "misp-galaxy:target-information=\"United Kingdom\"", "relationship_type": "" }, { "colour": "#b990dd", "local": false, "name": "misp-galaxy:target-information=\"Australia\"", "relationship_type": "" }, { "colour": "#670cf4", "local": false, "name": "misp-galaxy:target-information=\"Pakistan\"", "relationship_type": "" }, { "colour": "#915448", "local": false, "name": "misp-galaxy:target-information=\"Malaysia\"", "relationship_type": "" }, { "colour": "#e459c3", "local": false, "name": "misp-galaxy:target-information=\"Hong Kong\"", "relationship_type": "" }, { "colour": "#5887a6", "local": false, "name": "misp-galaxy:target-information=\"Japan\"", "relationship_type": "" }, { "colour": "#9c7ff4", "local": false, "name": "misp-galaxy:target-information=\"South Korea\"", "relationship_type": "" }, { "colour": "#d52b43", "local": false, "name": "misp-galaxy:target-information=\"Mexico\"", "relationship_type": "" }, { "colour": "#013748", "local": false, "name": "misp-galaxy:target-information=\"India\"", "relationship_type": "" }, { "colour": "#b8ab01", "local": false, "name": "misp-galaxy:target-information=\"United States\"", "relationship_type": "" }, { "colour": "#1b8479", "local": false, "name": "misp-galaxy:target-information=\"Vietnam\"", "relationship_type": "" }, { "colour": "#2613b0", "local": false, "name": "misp-galaxy:target-information=\"Taiwan\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:producer=\"Symantec\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:threat-actor=\"APT41\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"MimiKatz\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"SideWalk (Windows)\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Telecoms\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#10003d", "local": false, "name": "rectifyq:sub-category=\"TA-profile\"", "relationship_type": "" }, { "colour": "#d92121", "local": false, "name": "rectifyq:target=\"targeted\"", "relationship_type": "" }, { "colour": "#dd2e44", "local": false, "name": "rectifyq:MY-relevancy=\"relevant\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#f1dfed", "local": false, "name": "rectifyq:TA-category=\"APT\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1736668277", "to_ids": false, "type": "link", "uuid": "2b5115e3-6ce0-408e-ac26-38bf31ca0556", "value": "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/grayfly-china-sidewalk-malware" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1736668277", "to_ids": false, "type": "text", "uuid": "68e4052c-c6ac-4e60-96e7-39e4ad14c97e", "value": "Recent campaigns involved exploits against Exchange and MySQL servers. Group has heavy focus on telecoms sector. A recently discovered backdoor, Sidewalk, has been linked to the China-linked Grayfly espionage group. The malware has been deployed in recent Grayfly campaigns against a number of organizations in Taiwan, Vietnam, the United States, and Mexico" }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1736668277", "to_ids": false, "type": "text", "uuid": "e39ebab2-dab3-43fc-80cc-1fd91a6f5186", "value": "Name: Grayfly: Chinese Threat Actor Uses Newly-discovered Sidewalk Malware\nAuthor: AlienVault\nAdversary: Grayfly\nTags: [\"sparklinggoblin\", \"apt41\", \"grayfly\", \"sidewalk loader\", \"cobalt strike\", \"exchange\", \"motnug\", \"chattak\", \"mimikatz\"]\nTgtd countries: [\"Thailand\", \"Singapore\", \"Indonesia\", \"Chile\", \"United Kingdom of Great Britain and Northern Ireland\", \"Australia\", \"Pakistan\", \"Malaysia\", \"Hong Kong\", \"Japan\", \"Korea, Republic of\", \"Mexico\", \"India\", \"United States of America\", \"Viet Nam\", \"Taiwan\"]\nMlwr families: [\"SparklingGoblin\", \"Backdoor.Motnug\", \"Trojan.Chattak\"]\nAttack_ids: [\"T1003\", \"T1049\", \"T1059\", \"T1068\", \"T1505\", \"T1059.001\", \"T1027\"]\nIndustries: [\"Hospitality\", \"Healthcare\", \"Financial\", \"Food\", \"Telecommunications\", \"Finance\", \"Media\"]" }, { "category": "Attribution", "comment": "Adversary", "deleted": false, "disable_correlation": false, "timestamp": "1736668277", "to_ids": false, "type": "threat-actor", "uuid": "576d3b16-920f-4b0b-aec4-6c49948e3ca8", "value": "Grayfly" }, { "category": "Payload delivery", "comment": "Sidewalk loader No sample in VT\r\nLast check:23/02/2025", "deleted": false, "disable_correlation": false, "timestamp": "1740274798", "to_ids": true, "type": "sha256", "uuid": "a419bb91-5596-437e-ab32-fc27eb31174a", "value": "25a7c1f94822dc61211de253ff0a5805a0eb83921126732a0d52b1f1967cf079", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Mimikatz No sample in VT\r\nLast check:23/02/2025", "deleted": false, "disable_correlation": false, "timestamp": "1740274799", "to_ids": true, "type": "sha256", "uuid": "75c90721-e0de-4706-b5cc-048155b3b351", "value": "b3eb783b017da32e33d19670b39eae0b11de8e983891dd4feb873d6e9333608d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1747981216", "uuid": "83ec2401-2b08-4b06-bd7f-cd69d9fa31ff", "Attribute": [ { "category": "Payload delivery", "comment": "Sidewalk loader", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1747981215", "to_ids": true, "type": "md5", "uuid": "c586b67a-d10e-4d3d-b571-fd679aef2e10", "value": "1cb924170eb1964ad7414c01631cc10e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Sidewalk loader", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1747981215", "to_ids": true, "type": "sha1", "uuid": "7cd72b37-8847-4ff4-b104-4a979b138976", "value": "9d1940ed48190277c9d98ddbd7e4ea63ade5ceae", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Sidewalk loader", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1747981216", "to_ids": true, "type": "sha256", "uuid": "258a03e8-93ab-4fb9-a220-7116bdc715a9", "value": "1b5b37790b2029902d2d6db2da20da4d0d7846b20e32434f01b2d384eba0eded", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1740274586", "to_ids": true, "type": "ssdeep", "uuid": "11faf513-2dc9-4413-99d9-93b477567a0d", "value": "1536:GGRmMwXh5pubj9XwYSmxsLxpPRpEvqW0cpC+vt4fRO:pmMwXhaAYrxsFpPy0cpCG4fE" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1740274586", "to_ids": false, "type": "size-in-bytes", "uuid": "09c1f945-a9bf-4120-9b52-65e6d5691875", "value": "75264" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1740274586", "to_ids": true, "type": "vhash", "uuid": "fe6dfbc6-832e-464e-bfda-af743bec03f2", "value": "17403f76551\"z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1740274586", "to_ids": true, "type": "filename", "uuid": "56d3419b-616b-417e-a313-01be4f30a4a4", "value": "dotnet.4.x64.dll" }, { "category": "Other", "comment": "Checked: 23/02/2025\nLast-scan\t: 22/01/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1740274586", "to_ids": false, "type": "text", "uuid": "f3301ee4-1ce1-4688-a03c-875dfa6fbc54", "value": "Sidewalk loader\r\nType Description: Win32 DLL\n\nMicrosoft: Trojan:Win32/Ymacco.AA1B\nVT Total Detection:55/72" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1747981216", "uuid": "e1e36b5d-5851-43eb-a148-65c5b7ea7d67", "Attribute": [ { "category": "Payload delivery", "comment": "Sidewalk loader", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1747981216", "to_ids": true, "type": "md5", "uuid": "29916d62-2a28-4b0c-9cb6-ef7855a5559b", "value": "7007877ec8545265722325231b434c79", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Sidewalk loader", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1747981216", "to_ids": true, "type": "sha1", "uuid": "43071c42-3666-4443-a1a7-9c6e90f1e99e", "value": "8c877f583dd1e317af4eb9e15c2d202f2f63e0d1", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Sidewalk loader", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1747981216", "to_ids": true, "type": "sha256", "uuid": "956a4f5b-0509-4b23-b45a-c68908db5969", "value": "b732bba813c06c1c92975b34eda400a84b5cc54a460eeca309dfecbe9b559bd4", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1740274608", "to_ids": true, "type": "ssdeep", "uuid": "52fed913-7544-4bf6-97b7-66138c764e73", "value": "1536:ZP16ZCqdYcoKs81/RtXyYMwkZf3Zal2WZ3BN6zG0xvexteLiZXX:ZgZlYcFtvkZZakWZ3BN6zG0MxteLiZn" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1740274608", "to_ids": false, "type": "size-in-bytes", "uuid": "4612b7ad-2b41-42dc-a178-1a3c0110d6c8", "value": "74752" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1740274608", "to_ids": true, "type": "vhash", "uuid": "5aa05618-87c1-4987-b688-0cc00c350f93", "value": "17403f76551\"z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1740274608", "to_ids": true, "type": "filename", "uuid": "e5bcdf7b-4e82-4929-b1ee-ff5779fb69e7", "value": "dotnet.4.x64.dll" }, { "category": "Other", "comment": "Checked: 23/02/2025\nLast-scan\t: 22/02/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1740274608", "to_ids": false, "type": "text", "uuid": "2a5ddac1-d7c9-4e25-90b4-f8b688f9b27d", "value": "Sidewalk loader\r\nType Description: Win32 DLL\n\nMicrosoft: Trojan:Win32/Ymacco.AAB7\nVT Total Detection:56/77" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1747981216", "uuid": "d877ee94-bc26-42b3-bab4-173a498ae90d", "Attribute": [ { "category": "Payload delivery", "comment": "Sidewalk loader", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1747981216", "to_ids": true, "type": "md5", "uuid": "9f8dc7f5-10bd-4445-a0c8-ecd23648809c", "value": "5251b3f47b1ae8feb79642011b3a925b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Sidewalk loader", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1747981216", "to_ids": true, "type": "sha1", "uuid": "b4521683-f8f0-4b22-a038-b18d3daadfac", "value": "4c8194c94e25d51a062fab3e0a3edcec349fe914", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Sidewalk loader", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1747981216", "to_ids": true, "type": "sha256", "uuid": "150003d8-d8db-4730-915f-66e29101cf72", "value": "04f6fc49da69838f5b511d8f996dc409a53249099bd71b3c897b98ad97fd867c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1740274629", "to_ids": true, "type": "ssdeep", "uuid": "56c88143-e657-497b-a0fd-685061b02f8b", "value": "3072:BAPAcEG38y8YmdVhSElOs221FwJjP3HvlN8GA79:SPA0sy8YW+ElOs221FwJjP3HvlN8GA" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1740274629", "to_ids": false, "type": "size-in-bytes", "uuid": "ac76ce1a-a6cd-4833-9b7c-114a4c6037b0", "value": "121344" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1740274629", "to_ids": true, "type": "vhash", "uuid": "a9437dbc-5373-4d54-b102-fdcf37d2317c", "value": "01503f76551\"z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1740274629", "to_ids": true, "type": "filename", "uuid": "ee20a66f-ed89-46d6-9f67-582e83d9185e", "value": "Webisapi46.exe" }, { "category": "Other", "comment": "Checked: 23/02/2025\nLast-scan\t: 25/01/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1740274629", "to_ids": false, "type": "text", "uuid": "46ba40bd-02f1-4e6b-83e5-b86a12b99fa9", "value": "Sidewalk loader\r\nType Description: Win32 EXE\n\nMicrosoft: Trojan:MSIL/Tnega.PRY!MTB\nVT Total Detection:57/72" } ] } ] } }