Discover and read the best of Twitter Threads about #winnti
Most recents (2)
#ESETresearch has recently discovered a new undocumented modular backdoor, SideWalk, that was used by an APT group we named SparklingGoblin during one of its recent campaigns targeting a US-based computer retail company 🇺🇸. welivesecurity.com/2021/08/24/sid… @passil_t @mathieutartare 1/6
SideWalk is a modular backdoor that can dynamically load additional modules sent from the C&C server, makes use of Google Docs as a dead drop resolver, and @Cloudflare workers as a C&C server. It can also properly handle communication behind a proxy. 2/6
This backdoor shares multiple similarities with another backdoor used by the group: CROSSWALK, which FireEye was first to attribute to #APT41. This backdoor is referenced as ScrambleCross by Trend Micro 3/6
#ESETresearch stumbled upon strange samples which use the packer we described in publications on the #Winnti Group. The payload in these samples is an implant attributed to Equation. It is known as PeddleCheap according to the project names seen in the Shadow Brokers leaks. 1/8 
Those samples were first seen in 2017, one year before it was used in the compromised games in 2018 (welivesecurity.com/2019/03/11/gam…). They are 8b8d2eb8de66890f4c0950ccb3fff95b0f42b9e1 and b48beb5e49976294287b1d6910d7445db83e5cf2. #ESETresearch @marc_etienne_ 2/8
These particular executables do 3 things: launch the legitimate Adobe Flash installer, copy itself to %TEMP%\micrit.exe and start PeddleCheap. #ESETresearch @marc_etienne_ 3/8
