Crosswalk Backdoor

Infosec researchers uncovered a previously unknown backdoor threat used in a series of attacks by a Chinese-based threat actor. The threatening operations targeted video game developers and publishers from Hong Kong and Russia predominantly. During the four distinct attacks, the hackers employed several different malware strains, which made attributing the campaign to a particular threat actor more difficult. 

In May 2020, the hackers launched two separate attacks. The first one relied on LNK shortcuts that fetched and executed the final threatening payload, while the second operation employed a bit more sophisticated attack chain. The hackers distributed emails with a threatening RAR archive as an attachment. Inside the archive were two shortcuts to PDFs that acted as decoys pretending to be a CV and an IELTS certificate. The shortcuts' true purpose was to connect to Zeplin, a legitimate tool used by developers for collaborations. The hackers hosted on Zeplin their final-stage payload, which consisted of a shellcode loader file - 'svchast.exe,' and Crosswalk, a backdoor malware lurking inside a file named '3t54dE3r.tmp.'

Crosswalk is not a new malware strain as it was first detected back in 2017. At its core, the threat is an extremely streamlined modular backdoor capable of conducting reconnaissance activities on compromised computers. Due to its modular nature, however, Crosswalk's functionality can be tweaked to the cybercriminals' particular agenda by fetching additional modules from the Command-and-Control (C2, C&C) infrastructure of the campaign in shellcode form.

Finding the Group behind the Attacks

Crosswalk's deployment finally gave infosec researchers the confidence to link the attacks to the Chinese hacker group known as APT41 or Winnti. Indeed, judging solely from the aspects of the initial attack, the signs pointed mostly towards the Korean hackers belonging to the Higaisa group, who are known for using LNK shortcuts in their operations. The presence of Crosswalk and some overlap in infrastructure between previous Winnti campaigns and these series of attacks dissuaded the researchers from their original conjecture and pointed them towards the likely culprit. The targets also are consistent with past Winnti victims who also operated in the video game industry.

The current activity of the group is still ongoing. In the more recent attacks, the deployed malware payload has changed once more. So far, threatening RAR archives carrying a variant of the Cobal Strike Beacon have been observed in some instances. In others, the hackers leveraged compromised certificates from a Taiwanese company called Zealot Digital to launch strikes against victims in Honk Kong, delivering Crosswalk and Metasploit. A plethora of other malware also has been weaponized, including ShadowPad, Paranoid PlugX, and FunnySwitch, a previously unknown .NET backdoor threat.