The Sidewalk malware was recently documented by ESET researchers who attributed it to a group it calls SparklingGoblin. Symantec's Threat Hunter Team has now connected the malware to Grayfly, also known as GREF and Wicked Panda, a Chinese espionage group that had several members indicted in the US last year. While it's sometimes labeled APT41, Symantec considers Grayfly the espionage branch of APT41.
"The recent campaign involving Sidewalk suggests that Grayfly has been undeterred by the publicity surrounding the indictments," researchers wrote in a blog post on their findings.
Grayfly has been seen targeting several countries in Asia, Europe, and North America, affecting organizations in a range of industries, including food, financial, healthcare, hospitality, manufacturing, and telecommunications. Its more recent activity has continued a focus on telecom with additional victims in the media, finance, and IT service provider industries.
This group usually targets public-facing Web servers to install Web shells for its initial foothold before spreading further within a target network. Once inside, Grayfly may install custom backdoors onto additional systems so they can maintain remote access.
In its recent campaign, the group seemed interested in targeting exposed Microsoft Exchange or MySQL servers, suggesting its initial attack vector may include exploiting multiple flaws on public-facing servers. In at least one attack, the Exchange activity was followed by PowerShell commands used to then install an unidentified Web shell before executing the backdoor.
Read the full blog post for more details.