SYMBOLCOMMON_NAMEaka. SYNONYMS
win.crosswalk (Back to overview)

CROSSWALK

aka: ProxIP, Motnug, TOMMYGUN

Actor(s): APT41


According to FireEye, CROSSWALK is a skeletal, modular backdoor capable of system survey and adding modules in response to C&C replies.

References
2022-05-12TEAMT5Leon Chang, Silvia Yeh
@techreport{chang:20220512:next:5fd8a83, author = {Leon Chang and Silvia Yeh}, title = {{The Next Gen PlugX/ShadowPad? A Dive into the Emerging China-Nexus Modular Trojan, Pangolin8RAT (slides)}}, date = {2022-05-12}, institution = {TEAMT5}, url = {https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-LeonSilvia-NextGenPlugXShadowPad.pdf}, language = {English}, urldate = {2022-08-08} } The Next Gen PlugX/ShadowPad? A Dive into the Emerging China-Nexus Modular Trojan, Pangolin8RAT (slides)
KEYPLUG Cobalt Strike CROSSWALK FunnySwitch PlugX ShadowPad Winnti SLIME29 TianWu
2021-09-09SymantecThreat Hunter Team
@online{team:20210909:grayfly:60c5478, author = {Threat Hunter Team}, title = {{Grayfly: Chinese Threat Actor Uses Newly-discovered Sidewalk Malware}}, date = {2021-09-09}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/grayfly-china-sidewalk-malware}, language = {English}, urldate = {2021-09-10} } Grayfly: Chinese Threat Actor Uses Newly-discovered Sidewalk Malware
CROSSWALK MimiKatz SideWalk
2021-08-24ESET ResearchThibaut Passilly, Mathieu Tartare
@online{passilly:20210824:sidewalk:75d39db, author = {Thibaut Passilly and Mathieu Tartare}, title = {{The SideWalk may be as dangerous as the CROSSWALK}}, date = {2021-08-24}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/}, language = {English}, urldate = {2021-08-31} } The SideWalk may be as dangerous as the CROSSWALK
Cobalt Strike CROSSWALK SideWalk
2021-01-15The Hacker NewsRavie Lakshmaman
@online{lakshmaman:20210115:researchers:d524572, author = {Ravie Lakshmaman}, title = {{Researchers Disclose Undocumented Chinese Malware Used in Recent Attacks}}, date = {2021-01-15}, organization = {The Hacker News}, url = {https://thehackernews.com/2021/01/researchers-disclose-undocumented.html}, language = {English}, urldate = {2021-06-29} } Researchers Disclose Undocumented Chinese Malware Used in Recent Attacks
CROSSWALK
2021-01-14PTSecurityPT ESC Threat Intelligence
@online{intelligence:20210114:higaisa:4676ec7, author = {PT ESC Threat Intelligence}, title = {{Higaisa or Winnti? APT41 backdoors, old and new}}, date = {2021-01-14}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/}, language = {English}, urldate = {2021-02-09} } Higaisa or Winnti? APT41 backdoors, old and new
Cobalt Strike CROSSWALK FunnySwitch PlugX ShadowPad
2020-11-13Youtube (The Standoff)Alexey Zakharov, Positive Technologies
@online{zakharov:20201113:ff202eng:1d1222c, author = {Alexey Zakharov and Positive Technologies}, title = {{FF_202_Eng - From old Higaisa samples to new Winnti backdoors: The story of one research}}, date = {2020-11-13}, organization = {Youtube (The Standoff)}, url = {https://www.youtube.com/watch?v=8x-pGlWpIYI}, language = {English}, urldate = {2020-11-23} } FF_202_Eng - From old Higaisa samples to new Winnti backdoors: The story of one research
CROSSWALK Unidentified 076 (Higaisa LNK to Shellcode)
2020-11-03Kaspersky LabsGReAT
@online{great:20201103:trends:febc159, author = {GReAT}, title = {{APT trends report Q3 2020}}, date = {2020-11-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q3-2020/99204/}, language = {English}, urldate = {2020-11-04} } APT trends report Q3 2020
WellMail EVILNUM Janicab Poet RAT AsyncRAT Ave Maria Cobalt Strike Crimson RAT CROSSWALK Dtrack LODEINFO MoriAgent Okrum PlugX poisonplug Rover ShadowPad SoreFang Winnti
2020-09-18SymantecThreat Hunter Team
@online{team:20200918:apt41:363daa8, author = {Threat Hunter Team}, title = {{APT41: Indictments Put Chinese Espionage Group in the Spotlight}}, date = {2020-09-18}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apt41-indictments-china-espionage}, language = {English}, urldate = {2020-09-23} } APT41: Indictments Put Chinese Espionage Group in the Spotlight
CROSSWALK PlugX poisonplug ShadowPad Winnti
2020-07-29ESET Researchwelivesecurity
@techreport{welivesecurity:20200729:threat:496355c, author = {welivesecurity}, title = {{THREAT REPORT Q2 2020}}, date = {2020-07-29}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf}, language = {English}, urldate = {2020-07-30} } THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos PlugX Pony REvil Socelars STOP Tinba TrickBot WannaCryptor
2020-07-21YouTube ( OPCDE with Matt Suiche)Mohamad Mokbel
@online{mokbel:20200721:vopcde:26d48d0, author = {Mohamad Mokbel}, title = {{vOPCDE #9 - A Journey into Malware HTTP Communication Channels Spectacles (Mohamad Mokbel)}}, date = {2020-07-21}, organization = {YouTube ( OPCDE with Matt Suiche)}, url = {https://www.youtube.com/watch?v=FttiysUZmDw}, language = {English}, urldate = {2021-10-24} } vOPCDE #9 - A Journey into Malware HTTP Communication Channels Spectacles (Mohamad Mokbel)
Alureon Aytoke Cobra Carbon System CROSSWALK danbot ProtonBot Silence
2019-09-30vmwareScott Knight
@online{knight:20190930:cb:a21cf30, author = {Scott Knight}, title = {{CB Threat Analysis Unit: Technical Analysis of “Crosswalk”}}, date = {2019-09-30}, organization = {vmware}, url = {https://www.carbonblack.com/2019/09/30/cb-threat-analysis-unit-technical-analysis-of-crosswalk/}, language = {English}, urldate = {2020-04-21} } CB Threat Analysis Unit: Technical Analysis of “Crosswalk”
CROSSWALK
2019-08-09FireEyeFireEye
@online{fireeye:20190809:double:40f736e, author = {FireEye}, title = {{Double Dragon APT41, a dual espionage and cyber crime operation}}, date = {2019-08-09}, organization = {FireEye}, url = {https://content.fireeye.com/apt-41/rpt-apt41/}, language = {English}, urldate = {2019-12-18} } Double Dragon APT41, a dual espionage and cyber crime operation
CLASSFON crackshot CROSSWALK GEARSHIFT HIGHNOON HIGHNOON.BIN JUMPALL poisonplug Winnti
2018-12-24Twitter (@MrDanPerez)Dan Perez
@online{perez:20181224:hashes:9a4fc8c, author = {Dan Perez}, title = {{Tweet on hashes for CROSSWALK}}, date = {2018-12-24}, organization = {Twitter (@MrDanPerez)}, url = {https://twitter.com/MrDanPerez/status/1159459082534825986}, language = {English}, urldate = {2019-11-27} } Tweet on hashes for CROSSWALK
CROSSWALK
Yara Rules
[TLP:WHITE] win_crosswalk_auto (20230125 | Detects win.crosswalk.)
rule win_crosswalk_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.crosswalk."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.crosswalk"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 33f6 8d6e20 8bcd e8???????? }
            // n = 4, score = 1300
            //   33f6                 | mov                 eax, esi
            //   8d6e20               | xor                 edx, edx
            //   8bcd                 | inc                 ecx
            //   e8????????           |                     

        $sequence_1 = { 410fbe00 49ffc0 d3ca 03d0 4183ef01 }
            // n = 5, score = 1300
            //   410fbe00             | inc                 ecx
            //   49ffc0               | movsx               eax, byte ptr [eax]
            //   d3ca                 | dec                 ecx
            //   03d0                 | inc                 eax
            //   4183ef01             | ror                 edx, cl

        $sequence_2 = { 458bc6 33d2 488bc8 e8???????? 4533c9 4533c0 }
            // n = 6, score = 1300
            //   458bc6               | mov                 eax, eax
            //   33d2                 | imul                ecx
            //   488bc8               | add                 edx, ecx
            //   e8????????           |                     
            //   4533c9               | sar                 edx, 0xb
            //   4533c0               | mov                 eax, edx

        $sequence_3 = { ff15???????? 448bf0 4533c9 4533c0 }
            // n = 4, score = 1300
            //   ff15????????         |                     
            //   448bf0               | inc                 ecx
            //   4533c9               | movsx               eax, byte ptr [eax]
            //   4533c0               | dec                 ecx

        $sequence_4 = { 4c8bc6 33d2 410fbe00 49ffc0 }
            // n = 4, score = 1300
            //   4c8bc6               | inc                 ebp
            //   33d2                 | mov                 eax, esi
            //   410fbe00             | xor                 edx, edx
            //   49ffc0               | dec                 eax

        $sequence_5 = { c1fa0b 8bc2 c1e81f 03d0 69c2890e0000 }
            // n = 5, score = 1300
            //   c1fa0b               | add                 edx, eax
            //   8bc2                 | inc                 ecx
            //   c1e81f               | sub                 edi, 1
            //   03d0                 | inc                 ebp
            //   69c2890e0000         | mov                 eax, esi

        $sequence_6 = { 41b88d56e68c 418bc0 f7e9 03d1 c1fa0b 8bc2 }
            // n = 6, score = 1300
            //   41b88d56e68c         | add                 edx, eax
            //   418bc0               | inc                 ecx
            //   f7e9                 | sub                 edi, 1
            //   03d1                 | inc                 ecx
            //   c1fa0b               | mov                 eax, 0x8ce6568d
            //   8bc2                 | inc                 ecx

        $sequence_7 = { 458d7ee0 418bd7 ff15???????? 4821742420 }
            // n = 4, score = 1300
            //   458d7ee0             | inc                 ecx
            //   418bd7               | sub                 edi, 1
            //   ff15????????         |                     
            //   4821742420           | dec                 esp

        $sequence_8 = { eb17 81fa00010000 7313 8a87f4814100 08441619 }
            // n = 5, score = 200
            //   eb17                 | jmp                 0x19
            //   81fa00010000         | cmp                 edx, 0x100
            //   7313                 | jae                 0x15
            //   8a87f4814100         | mov                 al, byte ptr [edi + 0x4181f4]
            //   08441619             | or                  byte ptr [esi + edx + 0x19], al

        $sequence_9 = { eb7c c745e0205b4100 ebbb d9e8 8b4510 }
            // n = 5, score = 200
            //   eb7c                 | jmp                 0x7e
            //   c745e0205b4100       | mov                 dword ptr [ebp - 0x20], 0x415b20
            //   ebbb                 | jmp                 0xffffffbd
            //   d9e8                 | fld1                
            //   8b4510               | mov                 eax, dword ptr [ebp + 0x10]

        $sequence_10 = { c1e002 50 8b85b4f8ffff 0fb70485c4574100 8d0485c04e4100 50 }
            // n = 6, score = 200
            //   c1e002               | shl                 eax, 2
            //   50                   | push                eax
            //   8b85b4f8ffff         | mov                 eax, dword ptr [ebp - 0x74c]
            //   0fb70485c4574100     | movzx               eax, word ptr [eax*4 + 0x4157c4]
            //   8d0485c04e4100       | lea                 eax, [eax*4 + 0x414ec0]
            //   50                   | push                eax

        $sequence_11 = { ff15???????? 85c0 7f32 68???????? }
            // n = 4, score = 200
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7f32                 | jg                  0x34
            //   68????????           |                     

        $sequence_12 = { 8b0485808e4100 8b4de0 f644082801 7515 }
            // n = 4, score = 200
            //   8b0485808e4100       | mov                 eax, dword ptr [eax*4 + 0x418e80]
            //   8b4de0               | mov                 ecx, dword ptr [ebp - 0x20]
            //   f644082801           | test                byte ptr [eax + ecx + 0x28], 1
            //   7515                 | jne                 0x17

        $sequence_13 = { 8934b8 8bc7 83e03f 6bc830 8b0495808e4100 8b440818 }
            // n = 6, score = 200
            //   8934b8               | mov                 dword ptr [eax + edi*4], esi
            //   8bc7                 | mov                 eax, edi
            //   83e03f               | and                 eax, 0x3f
            //   6bc830               | imul                ecx, eax, 0x30
            //   8b0495808e4100       | mov                 eax, dword ptr [edx*4 + 0x418e80]
            //   8b440818             | mov                 eax, dword ptr [eax + ecx + 0x18]

        $sequence_14 = { 0f82eefeffff eb29 8b55d4 8a07 8b0c95808e4100 8844192e 8b0495808e4100 }
            // n = 7, score = 200
            //   0f82eefeffff         | jb                  0xfffffef4
            //   eb29                 | jmp                 0x2b
            //   8b55d4               | mov                 edx, dword ptr [ebp - 0x2c]
            //   8a07                 | mov                 al, byte ptr [edi]
            //   8b0c95808e4100       | mov                 ecx, dword ptr [edx*4 + 0x418e80]
            //   8844192e             | mov                 byte ptr [ecx + ebx + 0x2e], al
            //   8b0495808e4100       | mov                 eax, dword ptr [edx*4 + 0x418e80]

        $sequence_15 = { 8bde 895dd8 8365fc00 8b45e4 8b0485808e4100 8b4de0 }
            // n = 6, score = 200
            //   8bde                 | mov                 ebx, esi
            //   895dd8               | mov                 dword ptr [ebp - 0x28], ebx
            //   8365fc00             | and                 dword ptr [ebp - 4], 0
            //   8b45e4               | mov                 eax, dword ptr [ebp - 0x1c]
            //   8b0485808e4100       | mov                 eax, dword ptr [eax*4 + 0x418e80]
            //   8b4de0               | mov                 ecx, dword ptr [ebp - 0x20]

    condition:
        7 of them and filesize < 286720
}
Download all Yara Rules