Back

MoonWalk

July 12, 2024, 4:20 p.m.

Tags

backdoor
evasion
windows
moonwalk
nationstate
dodgebox
2024-07-12
googledrive

External References

https://www.zscaler.com/

https://otx.alienvault.com/

Description

This blog post examines MoonWalk, a new backdoor employed by APT41, a China-based threat actor known for campaigns in Southeast Asia. MoonWalk utilizes numerous evasion techniques, including DLL hollowing, call stack spoofing, and the abuse of Windows Fibers to evade security solutions. It also leverages Google Drive as a command-and-control channel, blending in with legitimate network traffic. MoonWalk's modular design allows for easy capability updates and customization for different scenarios.

Date

Published Created Modified
July 12, 2024, 4:11 p.m. July 12, 2024, 4:11 p.m. July 12, 2024, 4:20 p.m.

Indicators

c6a3a1ea84251aed908702a1f2a565496d583239c5f467f5dcd0cfc5bfb1a6db

a8e6bd132daf0360b1af1f5eea15e42f8c6f1dcd7d34376ae4e83a1a4f5907c0

33fd050760e251ab932e5ca4311b494ef72cee157b20537ce773420845302e49

Attack Patterns

MoonWalk

DodgeBox

APT41

T1102.002

T1562.001

T1590

T1573

T1106

T1592

T1027