Open Hunting - Threat Library

Openhunting Threat Library

SideWalk

SideWalk, ScrambleCross

(Type: Reconnaissance, Backdoor)

(ESET) This backdoor shares multiple similarities with another backdoor used by the group: {{CrossWalk}}. SideWalk is a modular backdoor that can dynamically load additional modules sent from its C&C server, makes use of Google Docs as a dead drop resolver, and uses Cloudflare workers as a C&C server. It can also properly handle communication behind a proxy.

[News Analysis] Trends:

Total Trend: 5

Trend Per Year

2021

2022

2023

Trend Per Month

Aug 2021

Sep 2021

Sep 2022

Jul 2023

[News Analysis] News Mention Another Threat Name:

[TTP Analysis] Technique Performance:

[TTP Analysis] Mitre Attack Matrix:

TA0043	TA0042	TA0001	TA0002	TA0003	TA0004	TA0005	TA0006	TA0007	TA0008	TA0009	TA0011	TA0010	TA0040
Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact

[Infrastructure Analysis] Based on Related IOC:

IP:Port	Timestamp

Domain	Timestamp

URL	Timestamp

[Target Analysis] Region/Sector:

No information

References:

News Basic Information Indicator of Compromise Mitre Attack

News Article (Credit @Malpedia)

Stealth Mode: Chinese Cyber Espionage Actors Continue to Evolve Tactics to Avoid Detection

2023-07-18 by Mandiant Intelligence from Mandiant

You never walk alone: The SideWalk backdoor gets a Linux variant

2022-09-14 by Vladislav Hrčka from ESET Research

Grayfly: Chinese Threat Actor Uses Newly-discovered Sidewalk Malware

2021-09-09 by Threat Hunter Team from Symantec

Earth Baku An APT Group Targeting Indo-Pacific Countries With New Stealth Loaders and Backdoor

2021-08-25 by Hara Hiroaki from Trend Micro

The SideWalk may be as dangerous as the CROSSWALK

2021-08-24 by Thibaut Passilly from ESET Research

Basic Information (Credit @etda.or.th)

Tool: SideWalk

Names: SideWalk, ScrambleCross

Description: (ESET) This backdoor shares multiple similarities with another backdoor used by the group: {{CrossWalk}}. SideWalk is a modular backdoor that can dynamically load additional modules sent from its C&C server, makes use of Google Docs as a dead drop resolver, and uses Cloudflare workers as a C&C server. It can also properly handle communication behind a proxy.

Category: Malware

Type: Reconnaissance, Backdoor

Information: https://www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/

Information: https://documents.trendmicro.com/assets/white_papers/wp-earth-baku-an-apt-group-targeting-indo-pacific-countries.pdf

Information: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/grayfly-china-sidewalk-malware

Malpedia: https://malpedia.caad.fkie.fraunhofer.de/details/win.sidewalk

Last-card-change: 2021-12-28

Source: https://apt.etda.or.th/cgi-bin/listtools.cgi

TA0043	TA0042	TA0001	TA0002	TA0003	TA0004	TA0005	TA0006	TA0007	TA0008	TA0009	TA0011	TA0010	TA0040
Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact