SYMBOLCOMMON_NAMEaka. SYNONYMS
win.crosswalk (Back to overview)

CROSSWALK

aka: ProxIP, Motnug

Actor(s): APT41

According to FireEye, CROSSWALK is a skeletal, modular backdoor capable of system survey and adding modules in response to C&C replies.

References
2021-01-14PTSecurityPT ESC Threat Intelligence
@online{intelligence:20210114:higaisa:4676ec7, author = {PT ESC Threat Intelligence}, title = {{Higaisa or Winnti? APT41 backdoors, old and new}}, date = {2021-01-14}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/}, language = {English}, urldate = {2021-02-09} } Higaisa or Winnti? APT41 backdoors, old and new
Cobalt Strike CROSSWALK FunnySwitch PlugX ShadowPad
2020-11-13Youtube (The Standoff)Alexey Zakharov, Positive Technologies
@online{zakharov:20201113:ff202eng:1d1222c, author = {Alexey Zakharov and Positive Technologies}, title = {{FF_202_Eng - From old Higaisa samples to new Winnti backdoors: The story of one research}}, date = {2020-11-13}, organization = {Youtube (The Standoff)}, url = {https://www.youtube.com/watch?v=8x-pGlWpIYI}, language = {English}, urldate = {2020-11-23} } FF_202_Eng - From old Higaisa samples to new Winnti backdoors: The story of one research
CROSSWALK Unidentified 076 (Higaisa LNK to Shellcode)
2020-11-03Kaspersky LabsGReAT
@online{great:20201103:trends:febc159, author = {GReAT}, title = {{APT trends report Q3 2020}}, date = {2020-11-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q3-2020/99204/}, language = {English}, urldate = {2020-11-04} } APT trends report Q3 2020
WellMail EVILNUM Janicab Poet RAT AsyncRAT Ave Maria Cobalt Strike Crimson RAT CROSSWALK Dtrack LODEINFO MoriAgent Okrum PlugX poisonplug Rover ShadowPad SoreFang Winnti
2020-09-18SymantecThreat Hunter Team
@online{team:20200918:apt41:363daa8, author = {Threat Hunter Team}, title = {{APT41: Indictments Put Chinese Espionage Group in the Spotlight}}, date = {2020-09-18}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apt41-indictments-china-espionage}, language = {English}, urldate = {2020-09-23} } APT41: Indictments Put Chinese Espionage Group in the Spotlight
CROSSWALK PlugX poisonplug ShadowPad Winnti
2020-07-29ESET Researchwelivesecurity
@techreport{welivesecurity:20200729:threat:496355c, author = {welivesecurity}, title = {{THREAT REPORT Q2 2020}}, date = {2020-07-29}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf}, language = {English}, urldate = {2020-07-30} } THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos Ransomware PlugX Pony REvil Socelars STOP Ransomware Tinba TrickBot WannaCryptor
2019-09-30vmwareScott Knight
@online{knight:20190930:cb:a21cf30, author = {Scott Knight}, title = {{CB Threat Analysis Unit: Technical Analysis of “Crosswalk”}}, date = {2019-09-30}, organization = {vmware}, url = {https://www.carbonblack.com/2019/09/30/cb-threat-analysis-unit-technical-analysis-of-crosswalk/}, language = {English}, urldate = {2020-04-21} } CB Threat Analysis Unit: Technical Analysis of “Crosswalk”
CROSSWALK
2019-08-09FireEyeFireEye
@online{fireeye:20190809:double:40f736e, author = {FireEye}, title = {{Double Dragon APT41, a dual espionage and cyber crime operation}}, date = {2019-08-09}, organization = {FireEye}, url = {https://content.fireeye.com/apt-41/rpt-apt41/}, language = {English}, urldate = {2019-12-18} } Double Dragon APT41, a dual espionage and cyber crime operation
CLASSFON crackshot CROSSWALK GEARSHIFT HIGHNOON HIGHNOON.BIN JUMPALL poisonplug Winnti
2018-12-24Twitter (@MrDanPerez)Dan Perez
@online{perez:20181224:hashes:9a4fc8c, author = {Dan Perez}, title = {{Tweet on hashes for CROSSWALK}}, date = {2018-12-24}, organization = {Twitter (@MrDanPerez)}, url = {https://twitter.com/MrDanPerez/status/1159459082534825986}, language = {English}, urldate = {2019-11-27} } Tweet on hashes for CROSSWALK
CROSSWALK
Yara Rules
[TLP:WHITE] win_crosswalk_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_crosswalk_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.crosswalk"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 33f6 8d6e20 8bcd e8???????? }
            // n = 4, score = 1300
            //   33f6                 | inc                 ecx
            //   8d6e20               | sub                 edi, 1
            //   8bcd                 | jne                 0xfffffff1
            //   e8????????           |                     

        $sequence_1 = { d3ca 03d0 4183ef01 75ef }
            // n = 4, score = 1300
            //   d3ca                 | mov                 eax, eax
            //   03d0                 | imul                ecx
            //   4183ef01             | add                 edx, ecx
            //   75ef                 | sar                 edx, 0xb

        $sequence_2 = { 4c8bc6 33d2 410fbe00 49ffc0 d3ca 03d0 }
            // n = 6, score = 1300
            //   4c8bc6               | add                 edx, eax
            //   33d2                 | dec                 esp
            //   410fbe00             | mov                 eax, esi
            //   49ffc0               | xor                 edx, edx
            //   d3ca                 | inc                 ecx
            //   03d0                 | movsx               eax, byte ptr [eax]

        $sequence_3 = { 458d7ee0 418bd7 ff15???????? 4821742420 }
            // n = 4, score = 1300
            //   458d7ee0             | mov                 eax, edx
            //   418bd7               | shr                 eax, 0x1f
            //   ff15????????         |                     
            //   4821742420           | add                 edx, eax

        $sequence_4 = { c1e81f 03d0 69c2890e0000 3bc8 }
            // n = 4, score = 1300
            //   c1e81f               | inc                 ecx
            //   03d0                 | mov                 eax, eax
            //   69c2890e0000         | imul                ecx
            //   3bc8                 | add                 edx, ecx

        $sequence_5 = { 458bc6 33d2 488bc8 e8???????? 4533c9 }
            // n = 5, score = 1300
            //   458bc6               | mov                 eax, edx
            //   33d2                 | shr                 eax, 0x1f
            //   488bc8               | add                 edx, eax
            //   e8????????           |                     
            //   4533c9               | imul                eax, edx, 0xe89

        $sequence_6 = { ff15???????? 448bf0 4533c9 4533c0 }
            // n = 4, score = 1300
            //   ff15????????         |                     
            //   448bf0               | shr                 eax, 0x1f
            //   4533c9               | add                 edx, eax
            //   4533c0               | imul                eax, edx, 0xe89

        $sequence_7 = { 418bc0 f7e9 03d1 c1fa0b 8bc2 c1e81f 03d0 }
            // n = 7, score = 1300
            //   418bc0               | inc                 ecx
            //   f7e9                 | mov                 eax, eax
            //   03d1                 | imul                ecx
            //   c1fa0b               | add                 edx, ecx
            //   8bc2                 | sar                 edx, 0xb
            //   c1e81f               | mov                 eax, edx
            //   03d0                 | shr                 eax, 0x1f

        $sequence_8 = { a1???????? 897de0 394508 7c1f 3934bd808e4100 7531 e8???????? }
            // n = 7, score = 200
            //   a1????????           |                     
            //   897de0               | cmp                 ecx, eax
            //   394508               | inc                 ecx
            //   7c1f                 | mov                 eax, 0x8ce6568d
            //   3934bd808e4100       | inc                 ecx
            //   7531                 | mov                 eax, eax
            //   e8????????           |                     

        $sequence_9 = { f20f59db 660f282d???????? 660f59f5 660f28aa80594100 }
            // n = 4, score = 200
            //   f20f59db             | sar                 edx, 0xb
            //   660f282d????????     |                     
            //   660f59f5             | inc                 ecx
            //   660f28aa80594100     | mov                 eax, 0x8ce6568d

        $sequence_10 = { 53 56 8b0485808e4100 33db 8b7508 }
            // n = 5, score = 200
            //   53                   | shr                 eax, 0x1f
            //   56                   | dec                 esp
            //   8b0485808e4100       | mov                 eax, esi
            //   33db                 | xor                 edx, edx
            //   8b7508               | inc                 ecx

        $sequence_11 = { 6a00 8d78f4 57 56 }
            // n = 4, score = 200
            //   6a00                 | imul                ecx
            //   8d78f4               | add                 edx, ecx
            //   57                   | sar                 edx, 0xb
            //   56                   | mov                 eax, edx

        $sequence_12 = { c745e0245b4100 8b4508 8bcf 8b7510 dd00 8b450c dd5de4 }
            // n = 7, score = 200
            //   c745e0245b4100       | xor                 edx, edx
            //   8b4508               | inc                 ecx
            //   8bcf                 | movsx               eax, byte ptr [eax]
            //   8b7510               | dec                 ecx
            //   dd00                 | inc                 eax
            //   8b450c               | ror                 edx, cl
            //   dd5de4               | inc                 esp

        $sequence_13 = { 8b04bd808e4100 f644032801 7444 837c0318ff 743d }
            // n = 5, score = 200
            //   8b04bd808e4100       | inc                 ecx
            //   f644032801           | sub                 edi, 1
            //   7444                 | shr                 eax, 0x1f
            //   837c0318ff           | add                 edx, eax
            //   743d                 | imul                eax, edx, 0xe89

        $sequence_14 = { 8be5 5d c3 6a40 6800100000 50 }
            // n = 6, score = 200
            //   8be5                 | inc                 ecx
            //   5d                   | mov                 eax, eax
            //   c3                   | imul                ecx
            //   6a40                 | add                 edx, ecx
            //   6800100000           | sar                 edx, 0xb
            //   50                   | mov                 eax, edx

        $sequence_15 = { 660f28aa80594100 660f54e5 660f58fe 660f58fc 660f59c8 }
            // n = 5, score = 200
            //   660f28aa80594100     | movsx               eax, byte ptr [eax]
            //   660f54e5             | dec                 ecx
            //   660f58fe             | inc                 eax
            //   660f58fc             | ror                 edx, cl
            //   660f59c8             | add                 edx, eax

    condition:
        7 of them and filesize < 286720
}
Download all Yara Rules