Rewterz Threat Advisory – CVE-2021-3711 OpenSSL buffer overflow vulnerability
August 26, 2021Rewterz Threat Advisory – CVE-2021-39157 – Node.js detect-character-encoding Module Vulnerability
August 26, 2021Rewterz Threat Advisory – CVE-2021-3711 OpenSSL buffer overflow vulnerability
August 26, 2021Rewterz Threat Advisory – CVE-2021-39157 – Node.js detect-character-encoding Module Vulnerability
August 26, 2021Severity
High
Analysis Summary
A novel and sophisticated backdoor tool that miscreants have slipped onto compromised Windows computers in companies mostly in Asia but also in North America. As usual in the infosec world, the pair of security outfits can’t agree on a name for this remote-access module. ESET refers to the malware as SideWalk and to the group responsible as SparklingGoblin; TrendMicro prefers ScrambleCross and calls the threat actor Earth Baku, even as it acknowledges that the miscreants are better known as APT41.
“SideWalk is a modular backdoor that can dynamically load additional modules sent from its C&C [command and control] server, makes use of Google Docs as a dead drop resolver, and Cloudflare workers as a C&C server, It can also properly handle communication behind a proxy.”
The SideWalk backdoor shares multiple similarities with CROSSWALK, which is a modular backdoor attributed to APT41.
Impact
- Unauthorized Access
- Malware Infection
- File Encryption
- Information Theft
- Privilege Escalation
Indicators of Compromise
Domain Name
- update[.]facebookint[.]workers[.]dev
- cdn[.]cloudfiare[.]workers[.]dev
Filename
- C[:]\Windows\System32\Tasks\Microsoft\Windows\WindowsUpdate\WebService
- C[:]\windows\system32\tasks\Microsoft\Windows\Ras\RasTaskStart
- iislog[.]tmp
- mscorsecimpl[.]tlb
- C_25749[.]NLS
- Microsoft[.]WebService[.]targets
IP
- 104[.]21[.]49[.]220
- 80[.]85[.]155[.]80
- 193[.]38[.]54[.]110
MD5
- cde90ac52c964a6c6b4326347822c561
- a1d972a6aa398d0230e577227b28e499
- 6fb64677980d2cae622e9ed6e4f4c449
- c629ae2af8689989fc14b26405761d03
- 1d36404f85d94bea6c976044cb342f24
SHA-256
- 34f95e0307959a376df28bc648190f72bccc5b25e0e00e45777730d26abb5316
- d52de1c29be8668a69af6c98ad86ec46eb94a3b0329e03d9fb44bb703070a771
- ce16e9a2d3722bb5f5b3636f307bd386ed24abafea72aeb6dd002d51eeca16df
- 9269dc68d46630c0d534bf62a299037fd3a124a6459d97692c25ffb89ccd1f08
- 9cf4e03defd1e58ff5767c230281c7d72a46bc350e99162281358ad771d1865f
SHA-1
- 1077a3dc0d9ccfbb73bd9f2e6b72bc67addcf2ab
- 153b8e46458bd65a68a89d258997e314fef72181
- ea44e9fbdbe5906a7fc469a988d83587e8e4b20d
- aa5b5f24bdfb049ef51bbb6246cb56cec89752bf
- 829aadbde42df14ce8ed06ac02ad697a6c9798fe
Remediation
- Block all the threat indicators in your respective controls.
- Search for IOCs in your environment.